Analysis

  • max time kernel
    364s
  • max time network
    691s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-08-2024 06:48

General

  • Target

    loopMIDISetup.exe

  • Size

    7.8MB

  • MD5

    15c25cb0b677f25e6f284bdaa20b6716

  • SHA1

    4b28b8a997f58021c2cb072c3724546827badff8

  • SHA256

    86db060b586b57dbeeaab32412602a9dd7f9e4298ab7586e667b7e7dbcf60ed6

  • SHA512

    2241c86c930176ddc47838033b1865831ce102d59484cd88cdf712572d5c8f87ffa8778dab10db35599c12c7510697bc5a58ab724f130e8663e62d5d4d983b62

  • SSDEEP

    196608:5BGCFYswTDdyFoSVIhb6VHNCZwF03eP9GwFnQH8dqDiF:5tbw3dyFo/hbUYWQH8dqDi

Malware Config

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • UAC bypass 3 TTPs 3 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Detects Floxif payload 1 IoCs
  • ModiLoader First Stage 1 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • RevengeRat Executable 1 IoCs
  • Warzone RAT payload 2 IoCs
  • Sets file to hidden 1 TTPs 64 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Drops startup file 5 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Modifies WinLogon for persistence 2 TTPs 64 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • NTFS ADS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loopMIDISetup.exe
    "C:\Users\Admin\AppData\Local\Temp\loopMIDISetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\{EADB8D9D-5F1D-494F-9701-E50C0E56F54C}\.cr\loopMIDISetup.exe
      "C:\Users\Admin\AppData\Local\Temp\{EADB8D9D-5F1D-494F-9701-E50C0E56F54C}\.cr\loopMIDISetup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\loopMIDISetup.exe" -burn.filehandle.attached=740 -burn.filehandle.self=744
      2⤵
      • Checks whether UAC is enabled
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1724
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa0683cb8,0x7fffa0683cc8,0x7fffa0683cd8
      2⤵
        PID:4992
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        2⤵
          PID:4768
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:912
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
          2⤵
            PID:2820
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:868
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:2972
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                2⤵
                  PID:1796
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                  2⤵
                    PID:3488
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2784
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
                    2⤵
                      PID:2376
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
                      2⤵
                        PID:3296
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3936 /prefetch:8
                        2⤵
                          PID:4164
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5516 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4192
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                          2⤵
                            PID:3396
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4028
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                            2⤵
                              PID:2620
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                              2⤵
                                PID:2176
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
                                2⤵
                                  PID:4180
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
                                  2⤵
                                    PID:2600
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                                    2⤵
                                      PID:2580
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
                                      2⤵
                                        PID:4620
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
                                        2⤵
                                          PID:1632
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3848
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,11013460519718052352,13063606240543072386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
                                          2⤵
                                          • NTFS ADS
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:704
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3092
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4244
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:936
                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
                                              1⤵
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • NTFS ADS
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3584
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC22E.tmp"
                                                2⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3640
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                2⤵
                                                  PID:4220
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  2⤵
                                                    PID:4476
                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
                                                  1⤵
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2376
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                    2⤵
                                                    • Drops startup file
                                                    • Suspicious use of SetThreadContext
                                                    • NTFS ADS
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2492
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2428
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2z6fhtzg.cmdline"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:6020
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3839.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59737AA276D1499BAFEBDA97B124C095.TMP"
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:6024
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scrbvukr.cmdline"
                                                      3⤵
                                                        PID:5364
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A35444B13164893BF730DB84E975A1.TMP"
                                                          4⤵
                                                            PID:428
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ucfuzvgm.cmdline"
                                                          3⤵
                                                            PID:2548
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5CFBEEC29AE4E4EB683DB351BE7F7.TMP"
                                                              4⤵
                                                                PID:4140
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2aes_hkf.cmdline"
                                                              3⤵
                                                                PID:2044
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B6EC5E23C604A29B93E97FBBF0FF46.TMP"
                                                                  4⤵
                                                                    PID:3568
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\so9dwmkx.cmdline"
                                                                  3⤵
                                                                    PID:2132
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D7B9121912A4F749F44EBFD7D98E9.TMP"
                                                                      4⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5384
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7y744e7t.cmdline"
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5248
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4142.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63C55E0CE5F54979B4E0783AC52E2CD.TMP"
                                                                      4⤵
                                                                        PID:5620
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytnxwvar.cmdline"
                                                                      3⤵
                                                                        PID:6084
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4336.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4EB4CA42D524BC1B6DBB9FBD605C.TMP"
                                                                          4⤵
                                                                            PID:2592
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cqmgzv4.cmdline"
                                                                          3⤵
                                                                            PID:5704
                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2290C2A6CEB4971853F78377F4DF676.TMP"
                                                                              4⤵
                                                                                PID:5316
                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nk-j6got.cmdline"
                                                                              3⤵
                                                                                PID:2088
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3223DE83D264409983C27E42C825B43E.TMP"
                                                                                  4⤵
                                                                                    PID:3212
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdvwz9jn.cmdline"
                                                                                  3⤵
                                                                                    PID:3580
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E184CCB72B844C6BC966F95924A8EFA.TMP"
                                                                                      4⤵
                                                                                        PID:704
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vymfp1jj.cmdline"
                                                                                      3⤵
                                                                                        PID:5144
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4941.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6931279226E4CA8A7FFFCF0E94F113E.TMP"
                                                                                          4⤵
                                                                                            PID:5160
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f46fq8lj.cmdline"
                                                                                          3⤵
                                                                                            PID:5156
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBCA8A70AF0D45C3BA954B8EFE4F312.TMP"
                                                                                              4⤵
                                                                                                PID:6048
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j5hvgptk.cmdline"
                                                                                              3⤵
                                                                                                PID:5600
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3D8B5BF9495406C8726937191E91A50.TMP"
                                                                                                  4⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2592
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvre6rpi.cmdline"
                                                                                                3⤵
                                                                                                  PID:4468
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12A3B0CDE5814C0B917612EAD4C473.TMP"
                                                                                                    4⤵
                                                                                                      PID:3996
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtlvn1oj.cmdline"
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:5932
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FF4C2D3B1784CB88C9A9BAD6D6E83FE.TMP"
                                                                                                      4⤵
                                                                                                        PID:3736
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\usm7ey0i.cmdline"
                                                                                                      3⤵
                                                                                                        PID:1980
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES516E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1300276B140C4B229F9571A3C0B91DAB.TMP"
                                                                                                          4⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1956
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rynq9p4b.cmdline"
                                                                                                        3⤵
                                                                                                          PID:2460
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5333.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B52682EA67545D3A47643D3FF0C728.TMP"
                                                                                                            4⤵
                                                                                                              PID:3520
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqudmwlq.cmdline"
                                                                                                            3⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:5248
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5518.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C5C12B834E841AC8E3F7FAE76671DF2.TMP"
                                                                                                              4⤵
                                                                                                                PID:5332
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rptzfytj.cmdline"
                                                                                                              3⤵
                                                                                                                PID:6064
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5602.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE98694DFD1A4DFA95D642B785C293AA.TMP"
                                                                                                                  4⤵
                                                                                                                    PID:5952
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i7xgta20.cmdline"
                                                                                                                  3⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:5596
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D56BEF6D5FA4143B2A7789BE966387.TMP"
                                                                                                                    4⤵
                                                                                                                      PID:904
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wd1uyr5t.cmdline"
                                                                                                                    3⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:5380
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D39BA8F53C545399A4E6C6288878145.TMP"
                                                                                                                      4⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2980
                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                    3⤵
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:1868
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                      4⤵
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:6020
                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                        5⤵
                                                                                                                          PID:5916
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                          5⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:4588
                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            6⤵
                                                                                                                              PID:3660
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0swc5wex.cmdline"
                                                                                                                            5⤵
                                                                                                                              PID:6844
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54F09F7BEDFE44A0BD5B6E5DEF6F1CE.TMP"
                                                                                                                                6⤵
                                                                                                                                  PID:4856
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wsng278e.cmdline"
                                                                                                                                5⤵
                                                                                                                                  PID:428
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc974A1B4FD4F34D5FA111DA990E6169F.TMP"
                                                                                                                                    6⤵
                                                                                                                                      PID:8852
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lvf-wrqw.cmdline"
                                                                                                                                    5⤵
                                                                                                                                      PID:9416
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8AA397EBF64459ABB16167771C4C4A.TMP"
                                                                                                                                        6⤵
                                                                                                                                          PID:8328
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rvzko3x8.cmdline"
                                                                                                                                        5⤵
                                                                                                                                          PID:9736
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4B7F518D944232A1BA56A0B18AFCFB.TMP"
                                                                                                                                            6⤵
                                                                                                                                              PID:9108
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjg4rlwr.cmdline"
                                                                                                                                            5⤵
                                                                                                                                              PID:9704
                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                6⤵
                                                                                                                                                  PID:2804
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC46132A94CEB9DE5672FA331F9C.TMP"
                                                                                                                                                  6⤵
                                                                                                                                                    PID:6636
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6dhoqojr.cmdline"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:7404
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2B860396C6F413289C71FCDC4DA44B8.TMP"
                                                                                                                                                      6⤵
                                                                                                                                                        PID:9036
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1dhqi4b.cmdline"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:6416
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1328.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0412BAA8485481FAFBEB5F3F27150A0.TMP"
                                                                                                                                                          6⤵
                                                                                                                                                            PID:10044
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jl4l3um.cmdline"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:9320
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE39D8A4FA8B49F4AC45613ECB233D23.TMP"
                                                                                                                                                              6⤵
                                                                                                                                                                PID:6372
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8rtnvjca.cmdline"
                                                                                                                                                              5⤵
                                                                                                                                                                PID:6164
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1829.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6E2E9DED69A4276B0CBB1A76E7556A.TMP"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:7912
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ewxj7ht.cmdline"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:8792
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD5E6A5D03A43198F1FA4CFD887852D.TMP"
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:7844
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe"
                                                                                                                                                              1⤵
                                                                                                                                                                PID:4760
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:4176
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                      3⤵
                                                                                                                                                                      • UAC bypass
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                      PID:1364
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:4628
                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        PING 127.0.0.1 -n 2
                                                                                                                                                                        3⤵
                                                                                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                        PID:796
                                                                                                                                                                      • C:\Windows\SysWOW64\Userdata\Userdata.exe
                                                                                                                                                                        "C:\Windows\SysWOW64\Userdata\Userdata.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:3252
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:4932
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • UAC bypass
                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                              PID:960
                                                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                            PID:1924
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:780
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                  6⤵
                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                  PID:1432
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe"
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Drops startup file
                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:4900
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                          PID:1328
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:2592
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:3188
                                                                                                                                                                            • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                                                                                                                                              "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:4916
                                                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E4
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5632
                                                                                                                                                                            • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                                              "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.doc" /o ""
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                              PID:5728
                                                                                                                                                                              • C:\Windows\SYSTEM32\runonce.exe
                                                                                                                                                                                runonce.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                PID:8712
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4948
                                                                                                                                                                                • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                                                                                                                  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:716
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:796
                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                  attrib "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4716
                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                    attrib "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT" +s +h
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:836
                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                    PID:5132
                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:5336
                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Sets file to hidden
                                                                                                                                                                                        PID:5360
                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                        PID:5852
                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                          notepad
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:6056
                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                            attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:6116
                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                              attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:6140
                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5340
                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                  attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5904
                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                  attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:5976
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:3736
                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:2348
                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                        PID:4836
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:4016
                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                          attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          PID:1956
                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                          attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                            PID:1476
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:5228
                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                              attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                PID:5732
                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                  PID:5744
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:5184
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:5220
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    PID:4604
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:904
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                      • Sets file to hidden
                                                                                                                                                                                                                      PID:5496
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                        PID:5436