Resubmissions

06-08-2024 12:57

240806-p7blyatdrd 3

05-08-2024 22:55

240805-2v3wwa1ekm 10

Analysis

  • max time kernel
    742s
  • max time network
    745s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-08-2024 22:55

General

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • CryptoLocker

    Ransomware family with multiple variants.

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • UAC bypass 3 TTPs 5 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Windows security bypass 2 TTPs 1 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • ModiLoader First Stage 2 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • RevengeRat Executable 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Blocks application from running via registry modification 13 IoCs

    Adds application to list of disallowed applications.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 24 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 9 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 4 TTPs
  • Drops startup file 8 IoCs
  • Executes dropped EXE 59 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 62 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Indicator Removal: Clear Persistence 1 TTPs 3 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 7 IoCs
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 21 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 43 IoCs
  • Launches sc.exe 24 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 14 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 7 IoCs
  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 5 IoCs
  • Modifies registry class 11 IoCs
  • NTFS ADS 38 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 47 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd8
      2⤵
        PID:1556
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        2⤵
          PID:4988
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3536
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
          2⤵
            PID:1516
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
            2⤵
              PID:3908
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
              2⤵
                PID:4444
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                2⤵
                  PID:4636
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3320
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3616
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                  2⤵
                    PID:2736
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
                    2⤵
                      PID:1312
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                      2⤵
                        PID:3744
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
                        2⤵
                          PID:3164
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                          2⤵
                            PID:4764
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
                            2⤵
                              PID:5036
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1100
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1508
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                1⤵
                                • Enumerates system info in registry
                                • Modifies registry class
                                • NTFS ADS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of SetWindowsHookEx
                                PID:3152
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd8
                                  2⤵
                                    PID:1100
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
                                    2⤵
                                      PID:4400
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4884
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
                                      2⤵
                                        PID:4868
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                                        2⤵
                                          PID:4476
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
                                          2⤵
                                            PID:1924
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                                            2⤵
                                              PID:1236
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                                              2⤵
                                                PID:2548
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1992
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3100
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                                                2⤵
                                                  PID:2112
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
                                                  2⤵
                                                    PID:496
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 /prefetch:8
                                                    2⤵
                                                      PID:4136
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5280 /prefetch:8
                                                      2⤵
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:4448
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
                                                      2⤵
                                                        PID:3144
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                                                        2⤵
                                                          PID:1948
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
                                                          2⤵
                                                            PID:4684
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                                                            2⤵
                                                              PID:1612
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
                                                              2⤵
                                                                PID:904
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
                                                                2⤵
                                                                  PID:4060
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
                                                                  2⤵
                                                                    PID:2752
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
                                                                    2⤵
                                                                      PID:2476
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
                                                                      2⤵
                                                                        PID:2704
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
                                                                        2⤵
                                                                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                        • NTFS ADS
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4732
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
                                                                        2⤵
                                                                          PID:1720
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
                                                                          2⤵
                                                                            PID:4620
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7224 /prefetch:8
                                                                            2⤵
                                                                              PID:3464
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
                                                                              2⤵
                                                                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                              • NTFS ADS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:4344
                                                                            • C:\Users\Admin\Downloads\Blackkomet.exe
                                                                              "C:\Users\Admin\Downloads\Blackkomet.exe"
                                                                              2⤵
                                                                              • Modifies WinLogon for persistence
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              • Drops file in System32 directory
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4100
                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
                                                                                3⤵
                                                                                • Sets file to hidden
                                                                                • Views/modifies file attributes
                                                                                PID:4320
                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                attrib "C:\Users\Admin\Downloads" +s +h
                                                                                3⤵
                                                                                • Sets file to hidden
                                                                                • Views/modifies file attributes
                                                                                PID:2484
                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                3⤵
                                                                                • Modifies WinLogon for persistence
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1704
                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                  notepad
                                                                                  4⤵
                                                                                    PID:2116
                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                    4⤵
                                                                                    • Sets file to hidden
                                                                                    • Drops file in System32 directory
                                                                                    • Views/modifies file attributes
                                                                                    PID:716
                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                    4⤵
                                                                                    • Sets file to hidden
                                                                                    • Drops file in System32 directory
                                                                                    • Views/modifies file attributes
                                                                                    PID:1960
                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                    4⤵
                                                                                    • Modifies WinLogon for persistence
                                                                                    • Executes dropped EXE
                                                                                    • Adds Run key to start application
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4588
                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                      notepad
                                                                                      5⤵
                                                                                      • Adds Run key to start application
                                                                                      • Drops file in System32 directory
                                                                                      PID:3700
                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                      5⤵
                                                                                      • Sets file to hidden
                                                                                      • Drops file in System32 directory
                                                                                      • Views/modifies file attributes
                                                                                      PID:4704
                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                      5⤵
                                                                                      • Sets file to hidden
                                                                                      • Drops file in System32 directory
                                                                                      • Views/modifies file attributes
                                                                                      PID:2916
                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                      5⤵
                                                                                        PID:5688
                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4688
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7228 /prefetch:2
                                                                                  2⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:2156
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
                                                                                  2⤵
                                                                                    PID:1512
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
                                                                                    2⤵
                                                                                    • NTFS ADS
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:3304
                                                                                  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike.doc" /o ""
                                                                                    2⤵
                                                                                    • Checks processor information in registry
                                                                                    • Enumerates system info in registry
                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:5036
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      C:\Windows\SysWOW64\rundll32.exe
                                                                                      3⤵
                                                                                      • Process spawned unexpected child process
                                                                                      • Blocklisted process makes network request
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2716
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
                                                                                    2⤵
                                                                                      PID:1492
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5336 /prefetch:8
                                                                                      2⤵
                                                                                        PID:3412
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:8
                                                                                        2⤵
                                                                                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                        • NTFS ADS
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:4612
                                                                                      • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                                                                        "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2108
                                                                                        • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                          "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:3936
                                                                                      • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                                                                        "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2252
                                                                                        • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                          "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:2116
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
                                                                                        2⤵
                                                                                          PID:4488
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:8
                                                                                          2⤵
                                                                                            PID:4812
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7256 /prefetch:8
                                                                                            2⤵
                                                                                            • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                            • NTFS ADS
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:880
                                                                                          • C:\Users\Admin\Downloads\NJRat.exe
                                                                                            "C:\Users\Admin\Downloads\NJRat.exe"
                                                                                            2⤵
                                                                                            • Drops startup file
                                                                                            • Executes dropped EXE
                                                                                            • Adds Run key to start application
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                            PID:2328
                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
                                                                                              3⤵
                                                                                              • Modifies Windows Firewall
                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                              PID:2304
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                                                                                            2⤵
                                                                                              PID:1824
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 /prefetch:8
                                                                                              2⤵
                                                                                                PID:2292
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7360 /prefetch:8
                                                                                                2⤵
                                                                                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                • NTFS ADS
                                                                                                PID:2192
                                                                                              • C:\Users\Admin\Downloads\NetWire.exe
                                                                                                "C:\Users\Admin\Downloads\NetWire.exe"
                                                                                                2⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:3488
                                                                                                • C:\Users\Admin\Downloads\NetWire.exe
                                                                                                  "C:\Users\Admin\Downloads\NetWire.exe"
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Adds Run key to start application
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  PID:4812
                                                                                                  • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                                                                    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                                                                    4⤵
                                                                                                      PID:2088
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:4976
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
                                                                                                    2⤵
                                                                                                      PID:2456
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7408 /prefetch:8
                                                                                                      2⤵
                                                                                                      • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                      • NTFS ADS
                                                                                                      PID:3476
                                                                                                    • C:\Users\Admin\Downloads\RevengeRAT.exe
                                                                                                      "C:\Users\Admin\Downloads\RevengeRAT.exe"
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      PID:1436
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                        3⤵
                                                                                                        • Drops startup file
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • NTFS ADS
                                                                                                        PID:2856
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                          4⤵
                                                                                                            PID:3988
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6xquj2k.cmdline"
                                                                                                            4⤵
                                                                                                              PID:5496
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE65743EB3704697BC8CC63388A4E57.TMP"
                                                                                                                5⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:5768
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vo-ewgsx.cmdline"
                                                                                                              4⤵
                                                                                                                PID:5948
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE518.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28074EE8476C48AA8ED6E6DE3D15C17.TMP"
                                                                                                                  5⤵
                                                                                                                    PID:5208
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-pbkpupm.cmdline"
                                                                                                                  4⤵
                                                                                                                    PID:5528
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE585.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc721CE011AD7C4B7481F1EFCB54F02CB5.TMP"
                                                                                                                      5⤵
                                                                                                                        PID:5936
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1y1wdavs.cmdline"
                                                                                                                      4⤵
                                                                                                                        PID:5204
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE612.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99DEE7DD3E874E1A975B9445DF8126.TMP"
                                                                                                                          5⤵
                                                                                                                            PID:5868
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oe-umgbz.cmdline"
                                                                                                                          4⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:5376
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F2073E7A0E04299A8497FEBE9502EDA.TMP"
                                                                                                                            5⤵
                                                                                                                              PID:5636
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eknob0af.cmdline"
                                                                                                                            4⤵
                                                                                                                              PID:1980
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE74A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD781DC1779E14586AE4161FBF7EAC172.TMP"
                                                                                                                                5⤵
                                                                                                                                  PID:3876
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7sjddnqt.cmdline"
                                                                                                                                4⤵
                                                                                                                                  PID:1828
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC21B72DE1F5F4A46A7A83E844C0A714.TMP"
                                                                                                                                    5⤵
                                                                                                                                      PID:4728
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnfcj_y_.cmdline"
                                                                                                                                    4⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4120
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF132745950C4F26AC60CECABF9DCF81.TMP"
                                                                                                                                      5⤵
                                                                                                                                        PID:6116
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8f_c0zn.cmdline"
                                                                                                                                      4⤵
                                                                                                                                        PID:2848
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE96D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEF927DBD830499FBF1702C39CD6C69.TMP"
                                                                                                                                          5⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4100
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jypthmud.cmdline"
                                                                                                                                        4⤵
                                                                                                                                          PID:1872
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc620AC4391C204573B182AD37BA86F6A0.TMP"
                                                                                                                                            5⤵
                                                                                                                                              PID:1080
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hxywqt5.cmdline"
                                                                                                                                            4⤵
                                                                                                                                              PID:3352
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1C213B17BB0440A853D574783397DEA.TMP"
                                                                                                                                                5⤵
                                                                                                                                                  PID:2244
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cuvjhepc.cmdline"
                                                                                                                                                4⤵
                                                                                                                                                  PID:1924
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB16E6E8E3A5D4912934CF68814CAEFE0.TMP"
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2252
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\isz2u0gd.cmdline"
                                                                                                                                                    4⤵
                                                                                                                                                      PID:3696
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7AB75384D11411BA5401E16CA71A93.TMP"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:1992
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhu-najg.cmdline"
                                                                                                                                                        4⤵
                                                                                                                                                          PID:3532
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61745F29B4A94F4CA8238C36587CAAA.TMP"
                                                                                                                                                            5⤵
                                                                                                                                                              PID:4536
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-4khe5qe.cmdline"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:1612
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23530DAEB6B645BEBEEE5FDCCFD7567.TMP"
                                                                                                                                                                5⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:5320
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytds4hvg.cmdline"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:5416
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc646D2FB94BCC4F3EBF5EB72A4B1E9CA.TMP"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:3744
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d7vp8w5w.cmdline"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:5848
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB16597882BF4A2982AECB4030D01FB.TMP"
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:5172
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6mgdjqtd.cmdline"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1276
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF063.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8211094F9BD482A971B96671F3D4142.TMP"
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:2924
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stuz49pd.cmdline"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:5460
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA74D00FEA3C544D1BED3CC51EC8EE88.TMP"
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:5516
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljbndha.cmdline"
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:5892
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF16C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F995A97782C4D5C82576AC1B4689A2.TMP"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:6108
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2d8qudjt.cmdline"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:5448
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF91818E93B504078ACC988941BBE3C94.TMP"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5504
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:548
                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Drops startup file
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      • NTFS ADS
                                                                                                                                                                                      PID:4744
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:4980
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                          6⤵
                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                          PID:5360
                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocnzx2mj.cmdline"
                                                                                                                                                                                          6⤵
                                                                                                                                                                                            PID:5832
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6D48A4BA0BC44988656E67E8B64D3E2.TMP"
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:4368
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjshrs8e.cmdline"
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:2908
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB52FD8B6EF14CB599F46E15A29E41E.TMP"
                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                    PID:6120
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3xrn47o.cmdline"
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                    PID:5744
                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4422C4E6DC664178A147312DAB08CEF.TMP"
                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                        PID:5708
                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5ecrx4q.cmdline"
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:5400
                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc994F3956B6C245F28A89AF84C19CD125.TMP"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5616
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzxkh9qh.cmdline"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:5372
                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BD7B1684A4C472BAF31EB7ED0353097.TMP"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5444
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlgrnvxm.cmdline"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:964
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66E1BF799E14FBC867E174EBFDA155.TMP"
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                              PID:1240
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahhpmibz.cmdline"
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:2208
                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4511A507F40246E7BCEC35BBB8A824C9.TMP"
                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                  PID:6068
                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wni0eu2d.cmdline"
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:4564
                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc130BB9AFFD1A42BEA564A81C209E3081.TMP"
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                      PID:5972
                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1wys_npk.cmdline"
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                      PID:3820
                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AD95FD171EA44DEB23CEFDA677F1AB4.TMP"
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                          PID:1704
                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c-pxhf0i.cmdline"
                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                          PID:2492
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB038.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc272530A3AD654AEAACB01E9448355039.TMP"
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:2496
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\piyhyrni.cmdline"
                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                            PID:3432
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB62D42C246034B9589DA5EED90B1150.TMP"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                PID:5148
                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:5260
                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:8
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5332
                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                                                                                                          • NTFS ADS
                                                                                                                                                                                                                          PID:5992
                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\WarzoneRAT.exe
                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\WarzoneRAT.exe"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          • NTFS ADS
                                                                                                                                                                                                                          PID:5688
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8C1.tmp"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:1916
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:2468
                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7296 /prefetch:8
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:5544
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:4100
                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:3804
                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:3352
                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:4708
                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:5460
                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8048 /prefetch:8
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:3708
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7868 /prefetch:8
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                                                                                                                          • NTFS ADS
                                                                                                                                                                                                                                          PID:5952
                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\AgentTesla.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\AgentTesla.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                          PID:916
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:3620
                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7732 /prefetch:8
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:4308
                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                                                                                                                              • NTFS ADS
                                                                                                                                                                                                                                              PID:2348
                                                                                                                                                                                                                                            • C:\Users\Admin\Downloads\butterflyondesktop.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:6084
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-AL23C.tmp\butterflyondesktop.tmp
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-AL23C.tmp\butterflyondesktop.tmp" /SL5="$290280,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                PID:4500
                                                                                                                                                                                                                                                • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                  PID:4716
                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:5476
                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd8
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                        PID:1308
                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:3352
                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:1488
                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:5192
                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:5936
                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:5556
                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:2108
                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5416
                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 /prefetch:8
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                                                                                PID:1472
                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\Azorult.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Downloads\Azorult.exe"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                • Blocks application from running via registry modification
                                                                                                                                                                                                                                                                • Drops file in Drivers directory
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                • Modifies WinLogon
                                                                                                                                                                                                                                                                • Hide Artifacts: Hidden Users
                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                PID:3696
                                                                                                                                                                                                                                                                • C:\ProgramData\Microsoft\Intel\wini.exe
                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                  PID:4024
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:5276
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:4308
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\regedit.exe
                                                                                                                                                                                                                                                                          regedit /s "reg1.reg"
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                          • Windows security bypass
                                                                                                                                                                                                                                                                          • Hide Artifacts: Hidden Users
                                                                                                                                                                                                                                                                          • Runs .reg file with regedit
                                                                                                                                                                                                                                                                          PID:576
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\regedit.exe
                                                                                                                                                                                                                                                                          regedit /s "reg2.reg"
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Runs .reg file with regedit
                                                                                                                                                                                                                                                                          PID:3912
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                          timeout 2
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                          PID:5196
                                                                                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                          rutserv.exe /silentinstall
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                          PID:2364