Resubmissions

12-08-2024 19:12

240812-xwgb2svglq 10

12-08-2024 18:30

240812-w5r98stdkn 10

Analysis

  • max time kernel
    1642s
  • max time network
    1643s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-08-2024 18:30

General

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader First Stage 1 IoCs
  • RevengeRat Executable 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Possible privilege escalation attempt 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Loads dropped DLL 37 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 19 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 58 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 11 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcef7a3cb8,0x7ffcef7a3cc8,0x7ffcef7a3cd8
      2⤵
        PID:2664
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
        2⤵
          PID:1340
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1044
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
          2⤵
            PID:4504
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
            2⤵
              PID:4624
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              2⤵
                PID:2172
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5176 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3040
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2972
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4712
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
                2⤵
                  PID:4252
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                  2⤵
                    PID:1924
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
                    2⤵
                      PID:2592
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
                      2⤵
                        PID:2712
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4832 /prefetch:2
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2072
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:8
                        2⤵
                          PID:5104
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                          2⤵
                            PID:4656
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
                            2⤵
                              PID:3256
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
                              2⤵
                                PID:3500
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                                2⤵
                                  PID:1532
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
                                  2⤵
                                    PID:3308
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
                                    2⤵
                                      PID:2396
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:8
                                      2⤵
                                        PID:3428
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
                                        2⤵
                                          PID:3856
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
                                          2⤵
                                            PID:4860
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
                                            2⤵
                                              PID:1956
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4908 /prefetch:8
                                              2⤵
                                                PID:3388
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6592 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2212
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:1
                                                2⤵
                                                  PID:3976
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
                                                  2⤵
                                                    PID:3700
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
                                                    2⤵
                                                      PID:3396
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
                                                      2⤵
                                                        PID:2920
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
                                                        2⤵
                                                          PID:3160
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                                                          2⤵
                                                            PID:712
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
                                                            2⤵
                                                              PID:3496
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
                                                              2⤵
                                                                PID:3912
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
                                                                2⤵
                                                                  PID:5056
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
                                                                  2⤵
                                                                    PID:1192
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
                                                                    2⤵
                                                                      PID:1976
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
                                                                      2⤵
                                                                        PID:1540
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
                                                                        2⤵
                                                                          PID:4788
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
                                                                          2⤵
                                                                            PID:3340
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
                                                                            2⤵
                                                                              PID:3796
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:8
                                                                              2⤵
                                                                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                              • NTFS ADS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:3040
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
                                                                              2⤵
                                                                                PID:3608
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
                                                                                2⤵
                                                                                  PID:4252
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
                                                                                  2⤵
                                                                                    PID:1640
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
                                                                                    2⤵
                                                                                      PID:3856
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
                                                                                      2⤵
                                                                                        PID:4364
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
                                                                                        2⤵
                                                                                          PID:3368
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
                                                                                          2⤵
                                                                                            PID:3812
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
                                                                                            2⤵
                                                                                              PID:1604
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2872 /prefetch:8
                                                                                              2⤵
                                                                                              • NTFS ADS
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:3124
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
                                                                                              2⤵
                                                                                                PID:2500
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:1800
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:3732
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:3152
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:2120
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:1
                                                                                                        2⤵
                                                                                                          PID:4372
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8028 /prefetch:8
                                                                                                          2⤵
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:3868
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
                                                                                                          2⤵
                                                                                                            PID:3592
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:8
                                                                                                            2⤵
                                                                                                            • NTFS ADS
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:3292
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
                                                                                                            2⤵
                                                                                                              PID:5016
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
                                                                                                              2⤵
                                                                                                              • NTFS ADS
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:4780
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
                                                                                                              2⤵
                                                                                                                PID:2076
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8468 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:6660
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8772 /prefetch:1
                                                                                                                  2⤵
                                                                                                                    PID:1672
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:5388
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:2860
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8912 /prefetch:1
                                                                                                                        2⤵
                                                                                                                          PID:5976
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:1
                                                                                                                          2⤵
                                                                                                                            PID:2176
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
                                                                                                                            2⤵
                                                                                                                              PID:4132
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                                                                                                                              2⤵
                                                                                                                                PID:3056
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
                                                                                                                                2⤵
                                                                                                                                  PID:556
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
                                                                                                                                  2⤵
                                                                                                                                    PID:960
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
                                                                                                                                    2⤵
                                                                                                                                      PID:5720
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
                                                                                                                                      2⤵
                                                                                                                                        PID:6096
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
                                                                                                                                        2⤵
                                                                                                                                          PID:5256
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
                                                                                                                                          2⤵
                                                                                                                                            PID:5376
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
                                                                                                                                            2⤵
                                                                                                                                              PID:5804
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9180 /prefetch:8
                                                                                                                                              2⤵
                                                                                                                                                PID:6904
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
                                                                                                                                                2⤵
                                                                                                                                                  PID:6280
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9168 /prefetch:1
                                                                                                                                                  2⤵
                                                                                                                                                    PID:4212
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1956
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
                                                                                                                                                      2⤵
                                                                                                                                                        PID:6408
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
                                                                                                                                                        2⤵
                                                                                                                                                          PID:6804
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3280
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8816 /prefetch:1
                                                                                                                                                            2⤵
                                                                                                                                                              PID:908
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5196
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8596 /prefetch:1
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:6616
                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:3652
                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8432 /prefetch:1
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:5444
                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1656
                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7784 /prefetch:8
                                                                                                                                                                        2⤵
                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        PID:5012
                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8596 /prefetch:8
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        PID:6384
                                                                                                                                                                      • C:\Users\Admin\Downloads\butterflyondesktop.exe
                                                                                                                                                                        "C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:5160
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-HTVE8.tmp\butterflyondesktop.tmp
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-HTVE8.tmp\butterflyondesktop.tmp" /SL5="$100346,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4848
                                                                                                                                                                          • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
                                                                                                                                                                            "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                            PID:1712
                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:1404
                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcef7a3cb8,0x7ffcef7a3cc8,0x7ffcef7a3cd8
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5204
                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7408 /prefetch:8
                                                                                                                                                                            2⤵
                                                                                                                                                                            • NTFS ADS
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            PID:5132
                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:7164
                                                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:2780
                                                                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:804
                                                                                                                                                                              • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:2172
                                                                                                                                                                                • C:\Users\Admin\Downloads\BonziBuddy432.exe
                                                                                                                                                                                  "C:\Users\Admin\Downloads\BonziBuddy432.exe"
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:3968
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2016
                                                                                                                                                                                      • C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
                                                                                                                                                                                        MSAGENT.EXE
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                        PID:5060
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:2988
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          PID:3772
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:568
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1532
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:2716
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1952
                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                          regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          PID:2700
                                                                                                                                                                                        • C:\Windows\msagent\AgentSvr.exe
                                                                                                                                                                                          "C:\Windows\msagent\AgentSvr.exe" /regserver
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:3564
                                                                                                                                                                                        • C:\Windows\SysWOW64\grpconv.exe
                                                                                                                                                                                          grpconv.exe -o
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:2208
                                                                                                                                                                                        • C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
                                                                                                                                                                                          tv_enua.exe
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:1888
                                                                                                                                                                                          • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                            regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:4808
                                                                                                                                                                                          • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                            regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:1068
                                                                                                                                                                                          • C:\Windows\SysWOW64\grpconv.exe
                                                                                                                                                                                            grpconv.exe -o
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:808
                                                                                                                                                                                    • C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
                                                                                                                                                                                      "C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:3756
                                                                                                                                                                                    • C:\Windows\msagent\AgentSvr.exe
                                                                                                                                                                                      C:\Windows\msagent\AgentSvr.exe -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                      PID:3804
                                                                                                                                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                      C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                      PID:660
                                                                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
                                                                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3908
                                                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                        PID:248
                                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:248 CREDAT:17410 /prefetch:2
                                                                                                                                                                                          2⤵
                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:664
                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:4684
                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:1712
                                                                                                                                                                                            • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                                                                                                                              "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:1508
                                                                                                                                                                                          • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                                                            "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                            • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                            PID:4508
                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                              PID:4476
                                                                                                                                                                                          • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                                            "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:5584
                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:5624
                                                                                                                                                                                              • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                                                                                                                                                                "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:7084
                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
                                                                                                                                                                                              1⤵
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:6236
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Drops startup file
                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                • NTFS ADS
                                                                                                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                PID:6400
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:6448
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luox8rty.cmdline"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:6136
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6F297687D434C328CA0E3D93A41DBED.TMP"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:5272
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hmhnf0n.cmdline"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:5440
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA258.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CFB52764E6496E8D90B5E2315DC48D.TMP"
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:2760
                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkwp9bbz.cmdline"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:3644
                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C93EAF0825E4678BAB147151B6F96.TMP"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:5936
                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jledkbw3.cmdline"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA342.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24E937261D7B48DF8FA8D9B596251FE7.TMP"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:5392
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtonr4w0.cmdline"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:3060
                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B8E4E5CBAAF43338C7B9D36E4991DF.TMP"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:5852
                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3hgst_py.cmdline"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:6072
                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5531983B4FA4490B17D5939E6793D6.TMP"
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:580
                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\61kv8t87.cmdline"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:5724
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA48A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AF80B61236B4B4EA6E1B0F8A9AD5DC9.TMP"
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:5268
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j8tikjq8.cmdline"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:1704
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9476357FAC0F439CA87D4D815A5F3976.TMP"
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:5340
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv7ivwdm.cmdline"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:540
                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACA985B1B49741758797B629BD41B57C.TMP"
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:240
                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qmuigb9k.cmdline"
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:6192
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BB3E62FA58844E49081196F9DC4A86.TMP"
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:6384
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gyalgums.cmdline"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:6504
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA620.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2E914CAE04C47038035DD7F9DF2DBE.TMP"
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:6708
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nyzsdwep.cmdline"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:6900
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA69D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21D6A420FC074AA786D4772713F463E.TMP"
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                            PID:7044
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3-6ug0z.cmdline"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:6208
                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE63EBDB578424D93BD6896BD9BE96ABA.TMP"
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:6524
                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52gqpwfa.cmdline"
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:6692
                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA65013AC3C0E4218A1C360C8D4C523D6.TMP"
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:7088
                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xzedvqp.cmdline"
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:5584
                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB527101B51BD4ECCAA728C5AB11FA9DA.TMP"
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:6268
                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aaeot_4i.cmdline"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:6604
                                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA814.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9222EFEF953A41CF9CBB7B7FC86899EE.TMP"
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:6224
                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7thx4gys.cmdline"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:4000
                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA891.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C79FE2A2BE149C9BDD63B6B5B91211A.TMP"
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:5608
                                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fw3uo2x.cmdline"
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:6368
                                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D015432D8194F4895D2DEABA4DCCF38.TMP"
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5776
                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ula5pjr9.cmdline"
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:5704
                                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA94D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBFD1BAA905E42CD887734E4BEDD96C.TMP"
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                          PID:5416
                                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\18tlzira.cmdline"
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5920
                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEB8DD038B604F738C3CBCB4416BCC8A.TMP"
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          PID:5968
                                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4fppcwzk.cmdline"
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5148
                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67241FE98AFE4CF4A8824E6E422E29A.TMP"
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:6136
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                          schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                          PID:5864
                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8kyqf0yz.cmdline"
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:5376
                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A96212B2C5B41AB92E568C28211C62F.TMP"
                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:3932
                                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\truhzy6v.cmdline"
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:5964
                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63686A83970C472497977818E8FBDEB2.TMP"
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:6120
                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kgs4lr96.cmdline"
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:4604
                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2308C5A18B3644F787E6B82EA1FC232D.TMP"
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:3928
                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2gtrx-mb.cmdline"
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:2860
                                                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120E1C3736942FFB164659040AF19EC.TMP"
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    PID:5820
                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8idi2mye.cmdline"
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:888
                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8BB65F87F83444C9B69CA3859676E0.TMP"
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:3724
                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\31z1fej2.cmdline"
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:5400
                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA508CE63B34947008CC2E520761632D4.TMP"
                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:5748
                                                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfs2-dro.cmdline"
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:6372
                                                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9C30928514248009E8F04441D567BD.TMP"
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                              PID:6276
                                                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssinpbsa.cmdline"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:6684
                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF395.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0B009E6BC93495FBBFAEE235FB11E78.TMP"
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              PID:6540
                                                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b5atz7m0.cmdline"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:7008
                                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF412.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA4D21F596AE453CB58E23A07A23DB6.TMP"
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:6948
                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rw9jd-cq.cmdline"
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              PID:6284
                                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9ED85058507B4508AA34F72A285AA92F.TMP"
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:6208
                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylu0ysmo.cmdline"
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              PID:6772
                                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4F8040F1C44DDA865D1AC25A504E64.TMP"
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:6848
                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkjeyfvv.cmdline"
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:6304
                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF569.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DAE5EAB92DE473D91BE643B3FC7319E.TMP"
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                  PID:1756
                                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ro0cdd_.cmdline"
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:6752
                                                                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77AAA3CEFE654479A171A189A114F9B.TMP"
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    PID:6532
                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anmkfmaf.cmdline"
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:4800
                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59BE4C8EAEA94BBA9F3DF9C2FA1CB42C.TMP"
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:4788
                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anjlteqe.cmdline"
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5100
                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5078.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11B5F07DBB342F8968497AA2D99FB5C.TMP"
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:5208
                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ptfjhbv.cmdline"
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:6908
                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73C83E5FE8694DA69CC16C95FD9B68C7.TMP"
                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                PID:5124
                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qb79zxl2.cmdline"
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:812
                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES527B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68627253A6040D7A9C2897742313A33.TMP"
                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                    PID:1744
                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q2i8grye.cmdline"
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:4924
                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5385.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55C81334751A4EBFA320B1E84C4AB6D1.TMP"
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:6928
                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g8woulq9.cmdline"
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:1068
                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3784D66065AB43C19FFA304F7B6E896E.TMP"
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:804
                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nimfw9i0.cmdline"
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:5384
                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF4CF84430FF4505926B49EC8EC1D495.TMP"
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:2476
                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\htv95y0i.cmdline"
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:4016
                                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5896.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67ECD21B6D5C403EA68A5019F14ACFF.TMP"
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:460
                                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5cgxxfm.cmdline"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:5316
                                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5932.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA90FF1A81C1E4445B64CE817DB287A35.TMP"
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:4632
                                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ju1giph-.cmdline"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:6836
                                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF0F229F8084933B2F9EFA26B6C68B.TMP"
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:4060
                                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzwwhso3.cmdline"
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:6972
                                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc342BA04413774439AA1034DB6561D410.TMP"
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:4376
                                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yqxl-zki.cmdline"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:5720
                                                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6D2642A927A4149976AA87FF227107B.TMP"
                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                    PID:6164
                                                                                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5rgguilt.cmdline"
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:2572
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C88E6EE910424296E9D18459AC10E8.TMP"
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                        PID:5244
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qbotejk.cmdline"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:6996
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C4F02D45BE54D90B467582D68D8C1CC.TMP"
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                            PID:4692
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t2zd1vwu.cmdline"
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:3524
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6364.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F8E8CEF23444C268A35D86E1B80768.TMP"
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:5996
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2g0msntr.cmdline"
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:5208