badrabbit | hxxps://youtube[.]com

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\321E.tmp	rundll32.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	368	WerFault.exe	129

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2352	schtasks.exe
612	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2276	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "246"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30930888"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3647973712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30930888"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "206"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "167"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000c91735e773d2bcf06e8e3feeeb2627957845c86a351039381cb2d4032c80c590000000000e8000000002000020000000527a5b7b9aaa201738906ce32315551967c2be5d62d7e91050b43b33328a37e620000000133c742bb2b4cb8c821ee160894d4dcff03d52801842454dd41876c05e598005400000009b3a43ebe183e8a37aa910c7d2ddee972bed4496980d9f98294183fa675bac0417705c03918acfcc93419a02c19fe6fac0de874793eb03c29b8cc0625a5baef3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "1036"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "167"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3647973712"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01D414F5-63BC-11EC-876A-D26FA49AA763} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000049c9709cb83ec5f00b4da9a7447beb7fa68e2e45eaf3776ceb215f0f292adaba000000000e8000000002000020000000703a0e384b7f4ca48de75099755a970d3157677a3f7421b5dce677a46a4cdae2e0000000aab356c09fdb510fd02b6092689f2c7ee563facd37533ee2318df5cdca3e7c62c4f9ae89a93e9007a539dc148a9533ca8896d8abe8e69a60b6177ea73f7d268bb948f3fe8ef9019ffd00ff24951b2eac4c844ba652bbfa3ac4b2ee8d8668e68733a8c5ab7f1a1c1098c8b99f545557f0b991c2989a10685671989402090c5c69e16de66323d208191337b0fb9f92bc2987959f767cde94beb79d17da3d809d094038ff5291bb8902684f4e0c665311f780f7a89c075e7f08511980268d5d7a102b6113955feabe1df402501860c5b8bdb46a2031a55ff519b84e33da8fe370134000000036d369794bc229eea159dd4f74745f444803dcda4949c08c573ffbc41c64cfb6cf249c0b7f87aef11bdec80a67edd119f3df08721bc735c3967704d4227cceb7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "246"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "39"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "231"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "1056"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "167"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "1056"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0472ed1c8f7d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000ddb2e3c3c963c37728c2d8c26a8eb030e760b957fae72434761bd270530f48c7000000000e8000000002000020000000b78e561449fda41aed4cce4d329cdf839ce74d0ceda16290baeac290c2fc344be0000000adfe200080c083eb6c1d2c07ce8148cf1650f884fd26d27bfafc26f94b5e88ea7349503e845a6c4bdfc06301673ad3a96b1949ca04f1e5f4dcc068a1454037bafc6cbb9d1644b5c1582c8d68c4066f231c7350606d40103ac04a3467f1ddb0cf987953c13fe377807cdc353d71ce87bd23ab459b5df16206b7b72b6485811d945f5d79829a94633900673543e2821e9442c8abd99ea3c82c04c45f3738e8834d49b8757c5908c8feb82161cde4e17c8b743b4056384af331ddd742e075eeb0f8a8063972b1541dd8ec8fbe8bd3dc64df3949006d1206d7ffcab663b969317a3c40000000fe75dc53c707915b472cda93f0f24ce119cf1e41e219587540b53b5a919577192616582c4b7fbbeda4d1e395ce9179275f94510fb7bdab7320be2138fb286b2c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "231"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "1036"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1056"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "39"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.opera.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "206"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "231"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\opera.com\Total = "246"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "206"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1036"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1316	chrome.exe
1316	chrome.exe
2556	chrome.exe
2556	chrome.exe
3932	chrome.exe
3932	chrome.exe
3552	chrome.exe
3552	chrome.exe
3068	chrome.exe
3068	chrome.exe
1416	chrome.exe
1416	chrome.exe
980	chrome.exe
980	chrome.exe
1640	chrome.exe
1640	chrome.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe
2320	rundll32.exe
2320	rundll32.exe
2320	rundll32.exe
2320	rundll32.exe
2520	321E.tmp
2520	321E.tmp
2520	321E.tmp
2520	321E.tmp
2520	321E.tmp
2520	321E.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeRestorePrivilege	1368	WerFault.exe
Token: SeBackupPrivilege	1368	WerFault.exe
Token: SeBackupPrivilege	1368	WerFault.exe
Token: SeDebugPrivilege	1368	WerFault.exe
Token: SeShutdownPrivilege	2320	rundll32.exe
Token: SeDebugPrivilege	2320	rundll32.exe
Token: SeTcbPrivilege	2320	rundll32.exe
Token: SeDebugPrivilege	2520	321E.tmp
Token: SeShutdownPrivilege	1648	FakeGoldenEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2480	iexplore.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2480	iexplore.exe
2480	iexplore.exe
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
2840	Bonzify.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2312	2556	chrome.exe	70
PID 2556 wrote to memory of 2312	2556	chrome.exe	70
PID 2480 wrote to memory of 3004	2480	iexplore.exe	71
PID 2480 wrote to memory of 3004	2480	iexplore.exe	71
PID 2480 wrote to memory of 3004	2480	iexplore.exe	71
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 2220	2556	chrome.exe	73
PID 2556 wrote to memory of 1316	2556	chrome.exe	72
PID 2556 wrote to memory of 1316	2556	chrome.exe	72
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74
PID 2556 wrote to memory of 932	2556	chrome.exe	74

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff812ac4f50,0x7ff812ac4f60,0x7ff812ac4f70
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,14689024796006783835,13377053130737819634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\Temp1_MalwareDatabase-master.zip\MalwareDatabase-master\Bonzify.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MalwareDatabase-master.zip\MalwareDatabase-master\Bonzify.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2412
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3168

C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Win9x.FlashKiller.zip\FlashKiller.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Win9x.FlashKiller.zip\FlashKiller.exe"
1⤵
PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 232
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Drops file in Windows directory
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

C:\Users\Admin\AppData\Local\Temp\Temp1_Virus.Win9x.CIH.zip\CIH.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Virus.Win9x.CIH.zip\CIH.exe"
1⤵
PID:2680

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_MalwareDatabase-master.zip\MalwareDatabase-master\Windows XP Horror Edition (WinXP.Horror.Destructive) (Created By WobbyChip).txt
1⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Temp1_Annabelle Ransomware.zip\716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Annabelle Ransomware.zip\716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe"
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:2760
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2522695123 && exit"
    3⤵
    PID:628
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2522695123 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:06:00
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:06:00
      4⤵
      Creates scheduled task(s)
      PID:612
- - C:\Windows\321E.tmp
    "C:\Windows\321E.tmp" \\.\pipe\{C3692B55-E65B-4600-AA1B-35EDEB0B189D}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520

C:\Users\Admin\AppData\Local\Temp\Temp1_Fake GoldenEye.zip\FakeGoldenEye.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Fake GoldenEye.zip\FakeGoldenEye.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {DFFACDC5-679F-4156-8947-C5C76BC0B67F} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-128-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-183-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-152-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-156-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-157-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-158-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-159-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-165-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-166-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-167-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-168-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-123-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-122-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-150-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-148-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-124-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-134-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-146-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-120-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-177-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-119-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-145-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-180-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-142-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-182-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-151-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-186-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-187-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-188-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-117-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-143-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-115-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-125-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-116-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-138-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-137-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-136-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-127-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-133-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-132-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-129-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-131-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download
memory/2480-121-0x00007FF812B70000-0x00007FF812BDB000-memory.dmp

Filesize
428KB

Download