Analysis

  • max time kernel
    871s
  • max time network
    879s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-08-2024 14:56

Errors

Reason
Machine shutdown

General

  • Target

    tyler.jpg

  • Size

    47KB

  • MD5

    a4e8e2d3b2f54a7d91f73f25280e29f4

  • SHA1

    77ecb0a6391a72b0deba66b651adc70aa9e31e97

  • SHA256

    67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7

  • SHA512

    5c100af3d55901a5aff5c53490c797b243315cd66a2c319cdbcd1b15308470fcda987222bf236ef415fdd35cd0803b9b08aac8843d2d9fcdbf1f79d4e5fadb48

  • SSDEEP

    768:HDZyIdPap+jg0263KE+lP2CDvz9IT7S+uulO+M0+Kd4d9gg770gde4avcC+8JnGs:HDRdPE+kA6EO2O+z5lfV+KdA9gg7Y4a5

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Renames multiple (3280) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • RevengeRat Executable 1 IoCs
  • Disables Task Manager via registry modification
  • Drops startup file 4 IoCs
  • Executes dropped EXE 64 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
  • Modifies registry class 23 IoCs
  • NTFS ADS 23 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\tyler.jpg
    1⤵
      PID:4856
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Chimera
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd8
        2⤵
          PID:504
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
          2⤵
            PID:4464
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1520
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
            2⤵
              PID:2260
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:4456
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                2⤵
                  PID:872
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
                  2⤵
                    PID:1844
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
                    2⤵
                      PID:5820
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:240
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
                      2⤵
                        PID:2568
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                        2⤵
                          PID:3912
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
                          2⤵
                            PID:3956
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                            2⤵
                              PID:2012
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
                              2⤵
                                PID:3228
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
                                2⤵
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5888
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                                2⤵
                                  PID:2808
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
                                  2⤵
                                    PID:5804
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                                    2⤵
                                      PID:1680
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:872
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
                                      2⤵
                                        PID:4376
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                        2⤵
                                          PID:2324
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
                                          2⤵
                                            PID:4688
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:584
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 /prefetch:8
                                            2⤵
                                            • NTFS ADS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5836
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                                            2⤵
                                              PID:2056
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
                                              2⤵
                                                PID:5896
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:1608
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:5580
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:1504
                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe
                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"
                                                    1⤵
                                                    • Suspicious behavior: MapViewOfSection
                                                    PID:1092
                                                    • C:\Windows\SysWOW64\explorer.exe
                                                      "C:\Windows\syswow64\explorer.exe"
                                                      2⤵
                                                      • Drops startup file
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: MapViewOfSection
                                                      PID:852
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        -k netsvcs
                                                        3⤵
                                                          PID:5992
                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
                                                      1⤵
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4788
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                        2⤵
                                                        • Drops startup file
                                                        • Suspicious use of SetThreadContext
                                                        • NTFS ADS
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4792
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                          3⤵
                                                            PID:3888
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0dgwxne.cmdline"
                                                            3⤵
                                                              PID:2576
                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51501822919D442D895662A8F98A3272.TMP"
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5880
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhlsktv4.cmdline"
                                                              3⤵
                                                                PID:676
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74173E1DD634135AE5DBE1C3ADDCE7.TMP"
                                                                  4⤵
                                                                    PID:3000
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.cmdline"
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:5296
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2A6411982CA4FE4AFE1CE79FD3CFFF4.TMP"
                                                                    4⤵
                                                                      PID:336
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.cmdline"
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4208
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A63AE6EC6FD4E57B161D5D628D71654.TMP"
                                                                      4⤵
                                                                        PID:5116
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjvwqly5.cmdline"
                                                                      3⤵
                                                                        PID:1536
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49A19A9BC5B84D528EFE66F7F1F6AAB6.TMP"
                                                                          4⤵
                                                                            PID:5756
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ti7slir-.cmdline"
                                                                          3⤵
                                                                            PID:1672
                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF13AEA1EAA9D40D2A159D8B8D1868CA2.TMP"
                                                                              4⤵
                                                                                PID:4880
                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txlz_2d_.cmdline"
                                                                              3⤵
                                                                                PID:1060
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D97374361B34D80A4E13F470452DE4.TMP"
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5556
                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu3-gubl.cmdline"
                                                                                3⤵
                                                                                  PID:6088
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC820091FAA43FFAD8743E0012FBF9.TMP"
                                                                                    4⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1180
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkbq_nig.cmdline"
                                                                                  3⤵
                                                                                    PID:3204
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BB463AAA3344EDE8B2ECCD32CAA67BC.TMP"
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2540
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxmzpsgw.cmdline"
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5624
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE055.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABC9649EF974364B4CD53D68F8FF9C2.TMP"
                                                                                      4⤵
                                                                                        PID:3320
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxynonoi.cmdline"
                                                                                      3⤵
                                                                                        PID:3592
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1127028429364F9A8CC4428EBA696F82.TMP"
                                                                                          4⤵
                                                                                            PID:4996
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ot3btmh6.cmdline"
                                                                                          3⤵
                                                                                            PID:920
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE140.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FA719A995174E7B8EA08555EB2F6B28.TMP"
                                                                                              4⤵
                                                                                                PID:2136
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kexetxfq.cmdline"
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:6068
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1FFAEC6CFFF42F6A59D184C80262BAD.TMP"
                                                                                                4⤵
                                                                                                  PID:2336
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5glsbtx3.cmdline"
                                                                                                3⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4676
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE20B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5EA827E40D4889A0D88B71EE49874.TMP"
                                                                                                  4⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4648
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\96c9vdyv.cmdline"
                                                                                                3⤵
                                                                                                  PID:3424
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE288.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc800CE4A5B0704FCCBB304D38F9DD8810.TMP"
                                                                                                    4⤵
                                                                                                      PID:1012
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgupcxjy.cmdline"
                                                                                                    3⤵
                                                                                                      PID:5520
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE305.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC328533C11894A79AFFF53E1C68EDD9.TMP"
                                                                                                        4⤵
                                                                                                          PID:5608
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7o9mqxkz.cmdline"
                                                                                                        3⤵
                                                                                                          PID:5772
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A2FD9EE12440D3895D566E1A80A95.TMP"
                                                                                                            4⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4744
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlwc0ipe.cmdline"
                                                                                                          3⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:4720
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20E88E9E77C4AE8B648553C674A4FB0.TMP"
                                                                                                            4⤵
                                                                                                              PID:3908
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_sf2_ne.cmdline"
                                                                                                            3⤵
                                                                                                              PID:1800
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEAEF08BE0304EED8B6AC56D258A92F.TMP"
                                                                                                                4⤵
                                                                                                                  PID:668
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ib6jf6m.cmdline"
                                                                                                                3⤵
                                                                                                                  PID:4664
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB36D8D90D70C45EDB8715BE1AE562A93.TMP"
                                                                                                                    4⤵
                                                                                                                      PID:3000
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cszqclbx.cmdline"
                                                                                                                    3⤵
                                                                                                                      PID:1064
                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5508BE1CADFE4CBA97706582EDF1C679.TMP"
                                                                                                                        4⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:5628
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omgyehiq.cmdline"
                                                                                                                      3⤵
                                                                                                                        PID:4944
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE138846F2854C3687A575B247F69A73.TMP"
                                                                                                                          4⤵
                                                                                                                            PID:5576
                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4680
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                            4⤵
                                                                                                                            • Drops startup file
                                                                                                                            • Adds Run key to start application
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • NTFS ADS
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5736
                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                              5⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5864
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                              5⤵
                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                              PID:1820
                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nkfbd0m.cmdline"
                                                                                                                              5⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:3168
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA808FC774EE45AD997452FBCD412D2A.TMP"
                                                                                                                                6⤵
                                                                                                                                  PID:3228
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr6pgtmu.cmdline"
                                                                                                                                5⤵
                                                                                                                                  PID:1848
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D1C4B5ACF21418CAE3D51CB599EC5D.TMP"
                                                                                                                                    6⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4224
                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5ex7ct.cmdline"
                                                                                                                                  5⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4608
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD92F7377E0904C64B43115F6FFC0EE39.TMP"
                                                                                                                                    6⤵
                                                                                                                                      PID:2032
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua3fzduw.cmdline"
                                                                                                                                    5⤵
                                                                                                                                      PID:6032
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F062FEA2B64E3EA9A313A4C0C3C033.TMP"
                                                                                                                                        6⤵
                                                                                                                                          PID:1208
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfpdlzo-.cmdline"
                                                                                                                                        5⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:668
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD439EB3BD81A46F2A31CA75D26E8FD49.TMP"
                                                                                                                                          6⤵
                                                                                                                                            PID:5352
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljf0nws.cmdline"
                                                                                                                                          5⤵
                                                                                                                                            PID:3020
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA30B396DA6942C3B2C4E770A97297D3.TMP"
                                                                                                                                              6⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:5628
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owriua1a.cmdline"
                                                                                                                                            5⤵
                                                                                                                                              PID:5968
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC49640E45CB54AB697CCBE9FF43AF6C3.TMP"
                                                                                                                                                6⤵
                                                                                                                                                  PID:5792
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1th_zprm.cmdline"
                                                                                                                                                5⤵
                                                                                                                                                  PID:2544
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA069.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA29DF7C13EA41CA9666F8CEDB781B50.TMP"
                                                                                                                                                    6⤵
                                                                                                                                                      PID:4484
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijptltre.cmdline"
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2880
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC2B20AB8066449B86A3EECA8AEFFE64.TMP"
                                                                                                                                                        6⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1840
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5bqf-pt.cmdline"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:1636
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A5BA1F870A04C5EA2CA1B4B1E245EED.TMP"
                                                                                                                                                          6⤵
                                                                                                                                                            PID:4328
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yaasgmt-.cmdline"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:804
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210D8471DF4A41BAEBCBB1CCE7B429.TMP"
                                                                                                                                                              6⤵
                                                                                                                                                                PID:2084
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvgbtpya.cmdline"
                                                                                                                                                              5⤵
                                                                                                                                                                PID:5212
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5535.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F8045616034402A8823CFB03BACB26.TMP"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:4460
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhqoipso.cmdline"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4616
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0ayfywh.cmdline"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:3496
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68ADA7CDEA74C9090ACE6776B2A3C.TMP"
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:996
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhca86hz.cmdline"
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:5272
                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2C688F4E9C84BF7995AF0BDCE148FB8.TMP"
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:4032
                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxldnbhz.cmdline"
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:496
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6443FC0AFC94566804F581BE8DD26D6.TMP"
                                                                                                                                                                              6⤵
                                                                                                                                                                                PID:6008
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmq3of2v.cmdline"
                                                                                                                                                                              5⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:2896
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5748.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc327C098ACC3A40B983FD1CA28E1F4A39.TMP"
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:5280
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otstmiai.cmdline"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5536
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc835F74479B854BFC9A35BE4C2F3E683.TMP"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:4064
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsnbtmtj.cmdline"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:3380
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5833.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E5CD5ED65A4943B7E6851D283A889B.TMP"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:5116
                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qja4a2nk.cmdline"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:2792
                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F89AFEABAA24D5592C93F246E9F8C1.TMP"
                                                                                                                                                                                          6⤵
                                                                                                                                                                                            PID:692
                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqazpibx.cmdline"
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:5404
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3502CD1D99C74BD68EE164C8EA72FEB.TMP"
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:5448
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vki49rqs.cmdline"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:2512
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A0FC5D8A684FE6A4988A72A48B103A.TMP"
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:584
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmxoyeaz.cmdline"
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:2352
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6CE288F9AB648B9BE5992E0D18AA83B.TMP"
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:1124
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_b4ymzd.cmdline"
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:2164
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47B09020A4CC412A82741A36D4C854C8.TMP"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:2988
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2xflg30.cmdline"
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:5176
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10CBD702D3D45A4ADB74490163FF99D.TMP"
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:1424
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksozbmit.cmdline"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:5004
                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD955F8AB72442DAB062272E491E490.TMP"
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihuk6w6b.cmdline"
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:4396
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F92ACB9661342DC9BD569C342CA3D4.TMP"
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                    PID:5748
                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytnmcq2a.cmdline"
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:1944
                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC29DBE83B747DD9FB2336AA41D5D8.TMP"
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                        PID:5588
                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlib7jpt.cmdline"
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:3204
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0F4202B44F2471F814D89E36844C7E8.TMP"
                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                            PID:2604
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzmtgdc_.cmdline"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                            PID:2324
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E88F241662A4D23ABDD119CE18D3D8F.TMP"
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:3244
                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0hjq9j0.cmdline"
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:5520
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF941386EC024A97A65553391857A67.TMP"
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                PID:2392
                                                                                                                                                                                                                    • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
                                                                                                                                                                                                                      "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:3560
                                                                                                                                                                                                                        • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                                                                                                                                                                                                          "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          PID:5336
                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Chimera
                                                                                                                                                                                                                        • Drops desktop.ini file(s)
                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:1672
                                                                                                                                                                                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                          "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp" /SL5="$140374,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                            PID:3740
                                                                                                                                                                                                                            • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:5840
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:5540
                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x108,0x12c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd8
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:2008
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:2592
                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:2460
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:6104
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:668
                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:5216
                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:3556
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:4664
                                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:336
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:2180
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:3020
                                                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:5896
                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:5400
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:880
                                                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:3948
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:3980
                                                                                                                                                                                                                                    • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                      PID:1520
                                                                                                                                                                                                                                      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                                                                                                                                        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip.crypt"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:884
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\unregmp2.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:660
                                                                                                                                                                                                                                            • C:\Windows\system32\unregmp2.exe
                                                                                                                                                                                                                                              "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:2028
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:5960
                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                          PID:4356
                                                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:3284
                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                        PID:4880
                                                                                                                                                                                                                                      • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:3656
                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:2864
                                                                                                                                                                                                                                        • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:6060
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                            PID:4236
                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:4688
                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:668
                                                                                                                                                                                                                                          • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:4724
                                                                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                              PID:5536
                                                                                                                                                                                                                                              • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                                "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                PID:976
                                                                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              • NTFS ADS
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:4472
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\$Recycle.Bin.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4340
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3008
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\$Recycle.Bin.exe", "C:\$Recycle.Bin.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2224
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\93b36425.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1492
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1488
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\93b36425.exe", "C:\93b36425.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4056
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Documents and Settings.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4732
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2052
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Documents and Settings.exe", "C:\Documents and Settings.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2704
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\PerfLogs.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2308
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1956
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\PerfLogs.exe", "C:\PerfLogs.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3288
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Recovery.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1952
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4216
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Recovery.exe", "C:\Recovery.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3352
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5304
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1368
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3204
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2604
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2884
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log.html.exe", "C:\vcredist2010_x64.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1344
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1828
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:964
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2880
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5016
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4648
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log.html.exe", "C:\vcredist2010_x86.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1928
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3536
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5256
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3084
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5388
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:668
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2484
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4724
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1228
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1932
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1184
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1068
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5208
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5652
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5712
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1008
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:2776
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3720
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1744
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4700
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:3236
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:4980
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:812
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:736
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5200
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:5548
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:576
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:5224
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:2192
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:3884
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:3344
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:6096
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:3352
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:1060
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract F:\$RECYCLE.BIN.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:5020
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:4744
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite F:\$RECYCLE.BIN.exe", "F:\$RECYCLE.BIN.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                                              PID:5036
                                                                                                                                                                                                                                                          • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:4992
                                                                                                                                                                                                                                                            • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                              PID:1352
                                                                                                                                                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              PID:2192