hxxps://youtube[.]com

Resubmissions

17-12-2021 10:23

211217-meszeaecbk 8

17-12-2021 10:17

211217-mbj74adea2 10

Analysis

max time kernel
858s
max time network
859s
platform
windows10_x64
resource
win10-en-20211208
submitted
17-12-2021 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtube.com

Score

8^/10

bootkit google discovery persistence phishing spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1840	MSAGENT.EXE
2420	tv_enua.exe
4964	AgentSvr.exe
5080	BonziBDY_4.EXE
4248	AgentSvr.exe
4788	BonziBDY_35.EXE
4820	BonziBDY_2.EXE
3916	BonziBDY_35.EXE
5064	BonziBDY_35.EXE
4592	BonziBDY_4.EXE
4652	software_reporter_tool.exe
4184	software_reporter_tool.exe
3416	software_reporter_tool.exe
836	software_reporter_tool.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 62 IoCs

pid	Process
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
2404	BonziBuddy432.exe
1840	MSAGENT.EXE
4840	regsvr32.exe
4860	regsvr32.exe
4876	regsvr32.exe
4900	regsvr32.exe
4912	regsvr32.exe
4932	regsvr32.exe
4944	regsvr32.exe
2420	tv_enua.exe
5016	regsvr32.exe
5016	regsvr32.exe
5032	regsvr32.exe
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
4248	AgentSvr.exe
4248	AgentSvr.exe
4248	AgentSvr.exe
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4248	AgentSvr.exe
4248	AgentSvr.exe
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
3916	BonziBDY_35.EXE
5064	BonziBDY_35.EXE
4592	BonziBDY_4.EXE
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe
3416	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	Conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskkill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tv_enua.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tskill.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_malware-master.zip\\malware-master\\CODEEVO\\\\CODEEVO.exe"	tskill.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Detected potential entity reuse from brand google.
phishing google

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SET7CF3.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File created	C:\Windows\SysWOW64\sysdel.bat	D3STR0Y3R.exe
File created	C:\Windows\SysWOW64\ramcrash.bat	D3STR0Y3R.exe
File opened for modification	C:\Windows\System32\ras\SSTPProxy\ProxyConfig.xml	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SET7CF3.tmp	tv_enua.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BG\Bg3.bmp	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\p001.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t3.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\book	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page1.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sites.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\j2.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\CHORD.WAV	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\empop3.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\chose.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb016.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\actcnc.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.htm	BonziBuddy432.exe
File created	C:\Program Files (x86)\BonziBuddy432\Uninstall.ini	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\emsmtp.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\P001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp002.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp004.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Regicon.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Reg.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\registry.reg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page13.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvbvm60.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb001.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page6.jpg	BonziBuddy432.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\msagent\SET77B1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\msagent\SET779E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET7CDF.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\SET7CF2.tmp	tv_enua.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File created	C:\Windows\msagent\SET77C3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET7CDE.tmp	tv_enua.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\lhsp\tv\SET7CDF.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET77D4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET7CDE.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET77D3.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET7807.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET7808.tmp	MSAGENT.EXE
File created	C:\Windows\fonts\SET7CF1.tmp	tv_enua.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\fonts\SET7CF1.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\msagent\SET77B0.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET77B2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET77D3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET77F5.tmp	MSAGENT.EXE
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	taskmgr.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET77F4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET7807.tmp	MSAGENT.EXE
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET77B1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET77B2.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET77F5.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\help\SET7CF0.tmp	tv_enua.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\421858948\3551649488.pri	LogonUI.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET77D4.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET77F4.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7808.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET779E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET77AF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
5552	taskkill.exe
6792	taskkill.exe
6844	taskkill.exe
5140	taskkill.exe
5896	taskkill.exe
5548	taskkill.exe
6280	taskkill.exe
5024	taskkill.exe
5540	taskkill.exe
5688	taskkill.exe
5436	taskkill.exe
5676	taskkill.exe
7128	taskkill.exe
5512	taskkill.exe
6120	taskkill.exe
5564	taskkill.exe
4784	taskkill.exe
6264	taskkill.exe
6228	taskkill.exe
5532	taskkill.exe
5648	taskkill.exe
7064	taskkill.exe
6264	taskkill.exe
6280	taskkill.exe
6532	taskkill.exe
3464	taskkill.exe
6112	taskkill.exe
3256	taskkill.exe
5592	taskkill.exe
4688	taskkill.exe
6084	taskkill.exe
5560	taskkill.exe
5764	taskkill.exe
6080	taskkill.exe
7072	taskkill.exe
5336	taskkill.exe
5260	taskkill.exe
5564	taskkill.exe
5944	taskkill.exe
5404	taskkill.exe
5732	taskkill.exe
6080	taskkill.exe
5788	taskkill.exe
6104	taskkill.exe
5540	taskkill.exe
5580	taskkill.exe
4864	taskkill.exe
6960	taskkill.exe
4820	taskkill.exe
6048	taskkill.exe
6096	taskkill.exe
5724	taskkill.exe
5748	taskkill.exe
5804	taskkill.exe
5888	taskkill.exe
5288	taskkill.exe
5840	taskkill.exe
6204	taskkill.exe
6260	taskkill.exe
6500	taskkill.exe
5416	taskkill.exe
6208	taskkill.exe
6488	taskkill.exe
5912	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\ = "Microsoft Agent DocFile Provider 1.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsRegistration\Clsid	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368C5B10-6A0F-11CE-9425-0000C0C14E92}\ToolboxBitmap32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinButton.1\ = "ActiveSkin.SkinButton Class"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F55ED2E0-6E13-11CE-918C-0000C0554C0A}\TypeLib\ = "{643F1353-1D07-11CE-9E52-0000C0554C0A}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A2-C5AE-11D2-8D1B-00104B9E072A}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{972DE6C2-8B09-11D2-B652-A1FD6CC34260}\ToolboxBitmap32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F}\1.1	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB61DB30-B032-11D0-A853-0000C02AC6DB}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCE47F78-8A6C-4C6D-A6F7-8BE4427127C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\Version\ = "3.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\Programmable	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinItem	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0\win32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6}\VERSION	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\VersionIndependentProgID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E20FD10-1BEB-11CE-80FB-0000C0C14E92}\TypeLib\ = "{E8671A8B-E5DD-11CD-836C-0000C0C14E92}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E27A70-69F0-11CE-9425-0000C0C14E92}\TypeLib\ = "{E8671A8B-E5DD-11CD-836C-0000C0C14E92}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D44-2CDD-11D3-9DD0-D3CD4078982A}\Version\ = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F6A-055F-11D4-8F9B-00104BA312D6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F6B-055F-11D4-8F9B-00104BA312D6}\TypeLib	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C}\ProxyStubClsid	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\CLSID\ = "{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C}\TypeLib\Version = "1.1"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D4E-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8671A88-E5DD-11CD-836C-0000C0C14E92}\MiscStatus\1\ = "164241"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DA7E73-B94F-49A2-9FEF-9F4B40C8E221}\ProgID	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE8-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}\TypeLib\ = "{E8671A8B-E5DD-11CD-836C-0000C0C14E92}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368C5B10-6A0F-11CE-9425-0000C0C14E92}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
1064	chrome.exe
1064	chrome.exe
2424	chrome.exe
2424	chrome.exe
1768	chrome.exe
1768	chrome.exe
988	chrome.exe
988	chrome.exe
3480	chrome.exe
3480	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
2220	chrome.exe
2220	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
832	chrome.exe
832	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1872	taskmgr.exe
3652	DELmE_s Batch Virus Generator v 2.0.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
632	Process not Found

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2656	MicrosoftEdgeCP.exe
2656	MicrosoftEdgeCP.exe
2656	MicrosoftEdgeCP.exe
2656	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	taskmgr.exe
Token: SeSystemProfilePrivilege	1872	taskmgr.exe
Token: SeCreateGlobalPrivilege	1872	taskmgr.exe
Token: SeShutdownPrivilege	1304	control.exe
Token: SeCreatePagefilePrivilege	1304	control.exe
Token: SeSystemtimePrivilege	940	rundll32.exe
Token: SeSystemtimePrivilege	940	rundll32.exe
Token: SeSystemtimePrivilege	940	rundll32.exe
Token: SeSystemtimePrivilege	940	rundll32.exe
Token: 33	1872	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1872	taskmgr.exe
Token: SeDebugPrivilege	4220	MicrosoftEdge.exe
Token: SeDebugPrivilege	4220	MicrosoftEdge.exe
Token: SeDebugPrivilege	4220	MicrosoftEdge.exe
Token: SeDebugPrivilege	4220	MicrosoftEdge.exe
Token: SeDebugPrivilege	4220	MicrosoftEdge.exe
Token: SeDebugPrivilege	4584	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4584	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4584	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4584	MicrosoftEdgeCP.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4768	AUDIODG.EXE
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: SeShutdownPrivilege	5064	svchost.exe
Token: SeCreatePagefilePrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: SeLoadDriverPrivilege	5064	svchost.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe
Token: 33	4248	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4248	AgentSvr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe
1872	taskmgr.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
2404	BonziBuddy432.exe
2420	tv_enua.exe
1840	MSAGENT.EXE
4220	MicrosoftEdge.exe
4516	MicrosoftEdgeCP.exe
4516	MicrosoftEdgeCP.exe
4964	AgentSvr.exe
5080	BonziBDY_4.EXE
5080	BonziBDY_4.EXE
4788	BonziBDY_35.EXE
4788	BonziBDY_35.EXE
4868	BonziBuddy432.exe
4536	mspaint.exe
4536	mspaint.exe
4536	mspaint.exe
4536	mspaint.exe
3056	BonziBuddy432.exe
4820	BonziBDY_2.EXE
4820	BonziBDY_2.EXE
3916	BonziBDY_35.EXE
5064	BonziBDY_35.EXE
4592	BonziBDY_4.EXE
2180	MEMZ.exe
4228	MEMZ.exe
3916	MEMZ.exe
4832	MEMZ.exe
4144	MEMZ.exe
4632	MEMZ.exe
2832	MEMZ.exe
2880	MicrosoftEdge.exe
2656	MicrosoftEdgeCP.exe
2656	MicrosoftEdgeCP.exe
2960	MicrosoftEdge.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
6388	LogonUI.exe
6388	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1028	1064	chrome.exe	69
PID 1064 wrote to memory of 1028	1064	chrome.exe	69
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 504	1064	chrome.exe	70
PID 1064 wrote to memory of 1036	1064	chrome.exe	71
PID 1064 wrote to memory of 1036	1064	chrome.exe	71
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72
PID 1064 wrote to memory of 1176	1064	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe21c94f50,0x7ffe21c94f60,0x7ffe21c94f70
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4812 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:1060
- C:\Windows\system32\control.exe
  "C:\Windows\system32\control.exe" /name Microsoft.DateAndTime
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7272 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7396 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4260 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7960 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7680 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7872 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1468 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1468 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7272 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7916 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7720 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=992 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7976 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=772 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7584 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7408 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=864 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1468 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7564 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7452 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=IaeGQaRo0/zFyopUlRQRoEMXvObwAFeCsNdgZYwv --registry-suffix=ESET --extended-safebrowsing-enabled --chrome-version=89.0.4389.114 --chrome-channel=4 --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
  2⤵
  - Executes dropped EXE
  PID:4652
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff795acc4b8,0x7ff795acc4c8,0x7ff795acc4d8
    3⤵
    - Executes dropped EXE
    PID:4184
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --extended-safebrowsing-enabled --use-crash-handler-with-id="\\.\pipe\crashpad_4652_ROCORJDJWHGPMNSM" --sandboxed-process-id=2 --init-done-notifier=708 --sandbox-mojo-pipe-token=5936865905002306969 --mojo-platform-channel-handle=684 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3416
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --extended-safebrowsing-enabled --use-crash-handler-with-id="\\.\pipe\crashpad_4652_ROCORJDJWHGPMNSM" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=5026435978250885412 --mojo-platform-channel-handle=924
    3⤵
    - Executes dropped EXE
    PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,2101524416253398430,10224238953415506820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7212 /prefetch:8
  2⤵
  PID:2280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2868

C:\Users\Admin\Desktop\BonziBuddy432.exe
"C:\Users\Admin\Desktop\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  PID:916
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1840
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4840
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4860
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:4876
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:4900
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:4912
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      PID:4932
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:4944
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4964
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4980
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2420
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      PID:5016
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      PID:5032
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2980

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL speech.cpl,,0
  2⤵
  PID:4448
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL speech.cpl,,0
    3⤵
    PID:4476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\Desktop\BonziBuddy432.exe
"C:\Users\Admin\Desktop\BonziBuddy432.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe21c94f50,0x7ffe21c94f60,0x7ffe21c94f70
  2⤵
  PID:4936

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:872

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:4720

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
- Drops file in System32 directory
PID:1968

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5064

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:5008

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\GetNew.emf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4148

C:\Users\Admin\Desktop\BonziBuddy432.exe
"C:\Users\Admin\Desktop\BonziBuddy432.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Users\Admin\AppData\Local\Temp\Temp1_BonziKill (1).zip\BonziKill.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BonziKill (1).zip\BonziKill.exe"
1⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe21c94f50,0x7ffe21c94f60,0x7ffe21c94f70
  2⤵
  PID:2164

C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4632
- C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2832
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4624

C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"
1⤵
- Drops file in System32 directory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Welcome!
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L
  2⤵
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Page 1
  2⤵
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sysdel.bat
  2⤵
  PID:3868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4892

C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"
1⤵
- Drops file in System32 directory
PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Welcome!
  2⤵
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L
  2⤵
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L
  2⤵
  PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Page 1
  2⤵
  PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ramcrash.bat
  2⤵
  PID:4880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4240

C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\DELmE\DELmE_s Batch Virus Generator v 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\DELmE\DELmE_s Batch Virus Generator v 2.0.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4724

C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\CODEEVO.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\CODEEVO.exe"
1⤵
PID:5184
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B5D4.tmp\B5D5.bat C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\CODEEVO.exe"
  2⤵
  PID:5228
- - C:\Windows\system32\mode.com
    mode 80, 33
    3⤵
    PID:5248
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5272
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5328
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5352
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5396
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5416
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5448
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5472
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5492
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5512
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5532
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5552
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5572
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5592
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5648
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5684
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5700
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5716
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5732
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5748
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5764
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5788
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5780
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5824
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5848
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5868
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5884
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5900
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5912
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5928
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5944
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5960
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5980
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6016
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6032
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6048
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6064
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6080
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6096
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6112
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4328
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5260
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5288
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5336
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5380
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5412
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5432
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5456
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5448
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5488
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5496
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5520
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5560
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5552
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5580
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5596
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5616
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5140
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:4688
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:3256
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5644
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:1212
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:976
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5164
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5168
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5652
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5672
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5688
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5712
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5728
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5732
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5736
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5764
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5804
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5832
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5856
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5872
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5896
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5908
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5920
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5948
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5932
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6024
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6032
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6048
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6064
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6096
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6120
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5252
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5312
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5388
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5356
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5420
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5468
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5436
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5500
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5528
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5556
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:4680
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5588
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:4624
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5624
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:4688
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:3256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4524
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:4524
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:4840
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5148
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5176
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5648
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5676
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5688
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5696
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5800
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5840
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5824
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5880
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5888
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5892
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5900
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5936
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5984
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5956
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6032
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6080
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6104
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6136
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5260
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5344
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5336
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5428
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5432
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Adds Run key to start application
    PID:5488
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5520
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5560
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5172
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5600
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5592
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:4624
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:4148
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    - Adds Run key to start application
    PID:3256
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4688
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5148
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5176
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5648
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5676
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5724
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5764
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5804
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5832
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5868
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5876
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5900
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Adds Run key to start application
    PID:5936
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6036
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6032
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6084
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6080
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:6104
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6136
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4712
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Adds Run key to start application
      PID:5312
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5284
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5432
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5004
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5528
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5568
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5552
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5580
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4700
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4672
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:976
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5124
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5760
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5788
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5800
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5840
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5856
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5916
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5940
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6076
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6060
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6128
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6080
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6104
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5288
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Adds Run key to start application
    PID:5284
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5548
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5564
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5560
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Adds Run key to start application
      PID:5552
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Adds Run key to start application
    PID:5588
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5124
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5676
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5724
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Adds Run key to start application
    PID:5764
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5804
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5888
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Adds Run key to start application
    - Kills process with taskkill
    PID:5944
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5948
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6076
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6112
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5248
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5288
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5540
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5004
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5528
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:4680
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5580
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5028
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5760
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Adds Run key to start application
    PID:5676
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Adds Run key to start application
    PID:5832
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5856
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5900
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5984
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Adds Run key to start application
    PID:6128
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5404
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:1660
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5500
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5044
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5564
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5860
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5840
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6080
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5004
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5724
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:4864
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5284
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5860
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5248
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5344
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:4300
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Adds Run key to start application
    PID:5860
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:4300
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:4784
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:4300
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:4784
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5564
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:4784
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:5564
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4300
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6152
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6188
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6204
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6220
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6236
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6252
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6264
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6280
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6296
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6328
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6312
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6436
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6876
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6896
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6912
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6928
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:6944
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6960
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6976
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6992
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:7008
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:7028
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:7048
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7064
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:7080
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:7096
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:7112
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:7128
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    PID:7144
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5564
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6168
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6196
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6208
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6228
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6244
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6252
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6264
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6280
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6304
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6352
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6328
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6476
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6504
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6532
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6548
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6564
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6588
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:6608
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:6668
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6692
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6652
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:4648
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:232
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5024
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:4924
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:3848
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:2832
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:6724
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5288
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5944
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5188
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:3772
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6760
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6776
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6792
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6812
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6828
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6844
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:6860
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4508
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6864
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6620
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6616
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5404
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6868
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:4488
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6512
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:4452
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:3464
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4128
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4824
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:4968
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5948
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5676
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5540
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5940
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:3396
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:4820
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6872
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6936
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6900
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6908
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6952
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6960
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:7004
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:7060
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:7000
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:7072
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:7080
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7096
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:7112
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:7128
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Adds Run key to start application
    PID:7144
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:6152
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6224
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6188
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:6248
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6260
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6276
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6292
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6300
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6324
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6488
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6500
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6520
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6536
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:6532
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:6548
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:6564
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6588
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:6660
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6672
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:6596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
- Adds Run key to start application
PID:5940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:6104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4f055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6388

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6968

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-174-0x0000018654D60000-0x0000018654D61000-memory.dmp

Filesize
4KB

Download
memory/836-169-0x00000186549A3000-0x00000186549A4000-memory.dmp

Filesize
4KB

Download
memory/836-172-0x0000018654930000-0x0000018654932000-memory.dmp

Filesize
8KB

Download
memory/836-171-0x0000018654930000-0x0000018654932000-memory.dmp

Filesize
8KB

Download
memory/2960-215-0x000001C846420000-0x000001C846430000-memory.dmp

Filesize
64KB

Download
memory/2960-216-0x000001C846520000-0x000001C846530000-memory.dmp

Filesize
64KB

Download
memory/3416-197-0x0000024ACF9F0000-0x0000024ACFA30000-memory.dmp

Filesize
256KB

Download
memory/3416-203-0x0000024ACDE30000-0x0000024ACDE70000-memory.dmp

Filesize
256KB

Download
memory/3416-199-0x0000024ACF960000-0x0000024ACF9A0000-memory.dmp

Filesize
256KB

Download
memory/3416-196-0x0000024ACF9B0000-0x0000024ACF9F0000-memory.dmp

Filesize
256KB

Download
memory/3416-198-0x0000024ACDE30000-0x0000024ACDE70000-memory.dmp

Filesize
256KB

Download
memory/3416-194-0x0000024ACDE30000-0x0000024ACDE70000-memory.dmp

Filesize
256KB

Download
memory/3416-195-0x0000024ACDE30000-0x0000024ACDE70000-memory.dmp

Filesize
256KB

Download
memory/3416-161-0x0000024ACDA00000-0x0000024ACDA02000-memory.dmp

Filesize
8KB

Download
memory/3416-200-0x0000024ACF9A0000-0x0000024ACF9E0000-memory.dmp

Filesize
256KB

Download
memory/3416-201-0x0000024ACDE30000-0x0000024ACDE70000-memory.dmp

Filesize
256KB

Download
memory/3416-202-0x0000024ACFBE0000-0x0000024ACFC20000-memory.dmp

Filesize
256KB

Download
memory/3416-163-0x0000024ACDDE0000-0x0000024ACDDE1000-memory.dmp

Filesize
4KB

Download
memory/3416-162-0x00007FFE2C400000-0x00007FFE2C401000-memory.dmp

Filesize
4KB

Download
memory/3416-158-0x0000024ACDA70000-0x0000024ACDA71000-memory.dmp

Filesize
4KB

Download
memory/3416-160-0x0000024ACDA00000-0x0000024ACDA02000-memory.dmp

Filesize
8KB

Download
memory/4184-157-0x000002AA3F3B0000-0x000002AA3F3B2000-memory.dmp

Filesize
8KB

Download
memory/4184-156-0x000002AA3F3B0000-0x000002AA3F3B2000-memory.dmp

Filesize
8KB

Download
memory/4652-154-0x00000202A40F0000-0x00000202A40F2000-memory.dmp

Filesize
8KB

Download
memory/4652-153-0x00000202A40F0000-0x00000202A40F2000-memory.dmp

Filesize
8KB

Download
memory/4768-140-0x0000025164CB0000-0x0000025164CB2000-memory.dmp

Filesize
8KB

Download
memory/4768-139-0x0000025164CB0000-0x0000025164CB2000-memory.dmp

Filesize
8KB

Download
memory/4820-145-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4820-144-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4820-143-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download