blacknet | 869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3

Processes:

upx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6036-163-0x0000000000190000-0x00000000009AC000-memory.dmp	family_redline
behavioral1/memory/6036-164-0x0000000000190000-0x00000000009AC000-memory.dmp	family_redline
behavioral1/memory/4824-172-0x0000000000030000-0x000000000084C000-memory.dmp	family_redline
behavioral1/memory/4824-173-0x0000000000030000-0x000000000084C000-memory.dmp	family_redline
behavioral1/memory/2808-180-0x00000000005E0000-0x0000000000DFC000-memory.dmp	family_redline
behavioral1/memory/2808-181-0x00000000005E0000-0x0000000000DFC000-memory.dmp	family_redline
behavioral1/memory/4932-187-0x0000000000190000-0x00000000009AC000-memory.dmp	family_redline
behavioral1/memory/4932-189-0x0000000000190000-0x00000000009AC000-memory.dmp	family_redline
behavioral1/memory/3904-193-0x00000000005E0000-0x0000000000DFC000-memory.dmp	family_redline
behavioral1/memory/3904-196-0x00000000005E0000-0x0000000000DFC000-memory.dmp	family_redline
behavioral1/memory/3904-197-0x00000000005E0000-0x0000000000DFC000-memory.dmp	family_redline

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

Kurome.Builder.exeKurome.Host.exeKurome.Loader.exePanel.exeKurome.Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Panel.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Kurome.Loader.exe

Blocklisted process makes network request 64 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
7	4880	wscript.exe
8	1332	wscript.exe
9	4764	wscript.exe
15	4764	wscript.exe
25	4764	wscript.exe
28	4764	wscript.exe
51	4764	wscript.exe
70	4764	wscript.exe
80	1332	wscript.exe
81	4880	wscript.exe
87	4764	wscript.exe
96	4764	wscript.exe
98	4764	wscript.exe
103	4764	wscript.exe
107	4764	wscript.exe
108	4880	wscript.exe
109	1332	wscript.exe
110	4764	wscript.exe
113	4764	wscript.exe
114	4764	wscript.exe
116	4764	wscript.exe
124	4764	wscript.exe
130	4764	wscript.exe
134	1332	wscript.exe
135	4880	wscript.exe
140	4764	wscript.exe
152	4764	wscript.exe
156	4764	wscript.exe
165	4764	wscript.exe
166	4764	wscript.exe
170	4764	wscript.exe
171	1332	wscript.exe
172	4880	wscript.exe
173	4764	wscript.exe
174	4764	wscript.exe
175	4764	wscript.exe
176	4764	wscript.exe
178	4764	wscript.exe
179	1332	wscript.exe
180	4880	wscript.exe
181	4764	wscript.exe
182	4764	wscript.exe
183	4764	wscript.exe
191	4764	wscript.exe
198	4764	wscript.exe
200	4764	wscript.exe
201	1332	wscript.exe
202	4880	wscript.exe
203	4764	wscript.exe
204	4764	wscript.exe
205	4764	wscript.exe
209	4764	wscript.exe
211	4764	wscript.exe
213	4880	wscript.exe
214	1332	wscript.exe
216	4764	wscript.exe
217	4764	wscript.exe
218	4764	wscript.exe
221	4764	wscript.exe
222	4764	wscript.exe
223	4764	wscript.exe
224	4880	wscript.exe
225	1332	wscript.exe
226	4764	wscript.exe

Executes dropped EXE 44 IoCs

Processes:

ChromeRecovery.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exesvshost.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exetaskse.exetaskmgr.exetaskdl.exetaskhost.exetaskhost.exesvshost.exeWinlockerBuilderv5.exe

pid	process
4164	ChromeRecovery.exe
396	taskdl.exe
4148	@WanaDecryptor@.exe
4532	@WanaDecryptor@.exe
2196	taskhsvc.exe
4556	taskdl.exe
4576	taskse.exe
3424	@WanaDecryptor@.exe
1828	taskdl.exe
1080	taskse.exe
5208	@WanaDecryptor@.exe
368	taskdl.exe
5192	taskse.exe
5832	@WanaDecryptor@.exe
1512	taskse.exe
3432	@WanaDecryptor@.exe
4284	taskdl.exe
5716	taskse.exe
972	@WanaDecryptor@.exe
5960	taskdl.exe
3128	taskse.exe
476	@WanaDecryptor@.exe
4452	taskdl.exe
5196	taskse.exe
4844	@WanaDecryptor@.exe
3952	taskdl.exe
1664	taskse.exe
2392	@WanaDecryptor@.exe
4144	taskdl.exe
5324	taskse.exe
3180	@WanaDecryptor@.exe
4508	taskdl.exe
3100	svshost.exe
5612	jusched.exe
2788	WinlockerBuilderv5.exe
5260	upx_compresser.exe
3876	upx_compresser.exe
5664	taskse.exe
5844	taskmgr.exe
824	taskdl.exe
4092	taskhost.exe
3960	taskhost.exe
1940	svshost.exe
4836	WinlockerBuilderv5.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2788-303-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4836-309-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/2788-310-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4836-313-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/2788-314-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4836-315-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Kurome.Builder.exeKurome.Loader.exePanel.exeKurome.Host.exeKurome.Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kurome.Builder.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kurome.Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Panel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Panel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kurome.Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kurome.Builder.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kurome.Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kurome.Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kurome.Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kurome.Loader.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

wscript.exesvshost.exeupx_compresser.exejusched.exesvshost.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upx_compresser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 19 IoCs

Processes:

taskmgr.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskmgr.exetaskmgr.exewscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gxphmnnrpg_wynmove.js	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD96B2.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXPhmnNRPG_wynmove.js.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\nynejuzswi.js.wncry	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gxphmnnrpg_wynmove.js	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\nynejuzswi.js	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\nynejuzswi.js	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXPhmnNRPG_wynmove.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXPhmnNRPG_wynmove.js	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXPhmnNRPG_wynmove.js.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\gxphmnnrpg_wynmove.js.wncry	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXPhmnNRPG_wynmove.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nYnEJuzswi.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD96C8.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Loads dropped DLL 35 IoCs

Processes:

configuretion.exeBuilder.exetaskhsvc.exe

pid	process
5940	configuretion.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
4892	Builder.exe
2196	taskhsvc.exe
2196	taskhsvc.exe
2196	taskhsvc.exe
2196	taskhsvc.exe
2196	taskhsvc.exe
2196	taskhsvc.exe
2196	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4456 icacls.exe

pid	process
4456	icacls.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/6036-163-0x0000000000190000-0x00000000009AC000-memory.dmp	themida
behavioral1/memory/6036-164-0x0000000000190000-0x00000000009AC000-memory.dmp	themida
behavioral1/memory/4824-172-0x0000000000030000-0x000000000084C000-memory.dmp	themida
behavioral1/memory/4824-173-0x0000000000030000-0x000000000084C000-memory.dmp	themida
behavioral1/memory/2808-180-0x00000000005E0000-0x0000000000DFC000-memory.dmp	themida
behavioral1/memory/2808-181-0x00000000005E0000-0x0000000000DFC000-memory.dmp	themida
behavioral1/memory/4932-187-0x0000000000190000-0x00000000009AC000-memory.dmp	themida
behavioral1/memory/4932-189-0x0000000000190000-0x00000000009AC000-memory.dmp	themida
behavioral1/memory/3904-196-0x00000000005E0000-0x0000000000DFC000-memory.dmp	themida
behavioral1/memory/3904-197-0x00000000005E0000-0x0000000000DFC000-memory.dmp	themida

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

wscript.exewscript.exeSearchApp.exeWinlockerBuilderv5.exeupx_compresser.exejusched.exereg.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GXPhmnNRPG_wynmove = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GXPhmnNRPG_wynmove.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	SearchApp.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zywnfqwizjcp627 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GXPhmnNRPG_wynmove = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GXPhmnNRPG_wynmove.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GXPhmnNRPG_wynmove = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GXPhmnNRPG_wynmove.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GXPhmnNRPG_wynmove = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GXPhmnNRPG_wynmove.js\""	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Kurome.Builder.exeKurome.Host.exeKurome.Loader.exePanel.exeKurome.Loader.exe

pid process

6036 Kurome.Builder.exe
4824 Kurome.Host.exe
2808 Kurome.Loader.exe
4932 Panel.exe
3904 Kurome.Loader.exe

pid	process
6036	Kurome.Builder.exe
4824	Kurome.Host.exe
2808	Kurome.Loader.exe
4932	Panel.exe
3904	Kurome.Loader.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

upx_compresser.exetaskhost.exe

description	pid	process	target process
PID 5260 set thread context of 3876	5260	upx_compresser.exe	upx_compresser.exe
PID 4092 set thread context of 3960	4092	taskhost.exe	taskhost.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3236	1748	WerFault.exe	SearchApp.exe
1460	3236	WerFault.exe	WerFault.exe
5016	440	WerFault.exe	SearchApp.exe
3152	2476	WerFault.exe	dwm.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 4 IoCs

Processes:

taskmgr.exechrome.exemsedge.exeupx_compresser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	upx_compresser.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5244 reg.exe

pid	process
5244	reg.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	988	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1624	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1505	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2002	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1877	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2032	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2144	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	443	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	633	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	882	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	842	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1321	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1602	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	398	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	627	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	680	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1079	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1097	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	405	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	807	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1001	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1665	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1698	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1841	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	382	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1138	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1407	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	166	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	960	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	574	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	623	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	856	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1542	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1584	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	103	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	152	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	281	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1996	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2193	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2207	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2017	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2123	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	173	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	684	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1068	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1850	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1386	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1445	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1535	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1192	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1418	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1711	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1762	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1797	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	289	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	588	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	995	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2076	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1820	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2222	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1358	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	1460	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	2107	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript
HTTP User-Agent header	15	WSHRAT\|36F4858E\|IYMUGYHL\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/10/2022\|JavaScript

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Builder.exe

pid process

4892 Builder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
5076	chrome.exe
5076	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
4212	chrome.exe
4212	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
5092	chrome.exe
5092	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
5508	chrome.exe
5508	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
5864	chrome.exe
5864	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeBuilder.exechrome.exe

pid process

2796 taskmgr.exe
4892 Builder.exe
4212 chrome.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

upx_compresser.exetaskhost.exe

pid process

5260 upx_compresser.exe
4092 taskhost.exe

pid	process
2796	taskmgr.exe
4892	Builder.exe
4212	chrome.exe

pid	process
660

pid	process
5260	upx_compresser.exe
4092	taskhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 62 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeKurome.Builder.exeKurome.Host.exeKurome.Loader.exePanel.exeKurome.Loader.exetaskmgr.exexmrig.exeBuilder.exetaskse.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3556	taskmgr.exe
Token: SeSystemProfilePrivilege	3556	taskmgr.exe
Token: SeCreateGlobalPrivilege	3556	taskmgr.exe
Token: 33	3556	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3556	taskmgr.exe
Token: SeDebugPrivilege	6036	Kurome.Builder.exe
Token: SeDebugPrivilege	4824	Kurome.Host.exe
Token: SeDebugPrivilege	2808	Kurome.Loader.exe
Token: SeDebugPrivilege	4932	Panel.exe
Token: SeDebugPrivilege	3904	Kurome.Loader.exe
Token: SeDebugPrivilege	2796	taskmgr.exe
Token: SeSystemProfilePrivilege	2796	taskmgr.exe
Token: SeCreateGlobalPrivilege	2796	taskmgr.exe
Token: SeLockMemoryPrivilege	5580	xmrig.exe
Token: SeLockMemoryPrivilege	5580	xmrig.exe
Token: 33	2796	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2796	taskmgr.exe
Token: 35	4892	Builder.exe
Token: SeTcbPrivilege	4576	taskse.exe
Token: SeTcbPrivilege	4576	taskse.exe
Token: SeIncreaseQuotaPrivilege	476	WMIC.exe
Token: SeSecurityPrivilege	476	WMIC.exe
Token: SeTakeOwnershipPrivilege	476	WMIC.exe
Token: SeLoadDriverPrivilege	476	WMIC.exe
Token: SeSystemProfilePrivilege	476	WMIC.exe
Token: SeSystemtimePrivilege	476	WMIC.exe
Token: SeProfSingleProcessPrivilege	476	WMIC.exe
Token: SeIncBasePriorityPrivilege	476	WMIC.exe
Token: SeCreatePagefilePrivilege	476	WMIC.exe
Token: SeBackupPrivilege	476	WMIC.exe
Token: SeRestorePrivilege	476	WMIC.exe
Token: SeShutdownPrivilege	476	WMIC.exe
Token: SeDebugPrivilege	476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	476	WMIC.exe
Token: SeRemoteShutdownPrivilege	476	WMIC.exe
Token: SeUndockPrivilege	476	WMIC.exe
Token: SeManageVolumePrivilege	476	WMIC.exe
Token: 33	476	WMIC.exe
Token: 34	476	WMIC.exe
Token: 35	476	WMIC.exe
Token: 36	476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	476	WMIC.exe
Token: SeSecurityPrivilege	476	WMIC.exe
Token: SeTakeOwnershipPrivilege	476	WMIC.exe
Token: SeLoadDriverPrivilege	476	WMIC.exe
Token: SeSystemProfilePrivilege	476	WMIC.exe
Token: SeSystemtimePrivilege	476	WMIC.exe
Token: SeProfSingleProcessPrivilege	476	WMIC.exe
Token: SeIncBasePriorityPrivilege	476	WMIC.exe
Token: SeCreatePagefilePrivilege	476	WMIC.exe
Token: SeBackupPrivilege	476	WMIC.exe
Token: SeRestorePrivilege	476	WMIC.exe
Token: SeShutdownPrivilege	476	WMIC.exe
Token: SeDebugPrivilege	476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	476	WMIC.exe
Token: SeRemoteShutdownPrivilege	476	WMIC.exe
Token: SeUndockPrivilege	476	WMIC.exe
Token: SeManageVolumePrivilege	476	WMIC.exe
Token: 33	476	WMIC.exe
Token: 34	476	WMIC.exe
Token: 35	476	WMIC.exe
Token: 36	476	WMIC.exe
Token: SeBackupPrivilege	5172	vssvc.exe
Token: SeRestorePrivilege	5172	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
3556	taskmgr.exe
4212	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

Builder.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeWinlockerBuilderv5.exeWinlockerBuilderv5.exetaskmgr.exejusched.exetaskhost.exe

pid	process
4892	Builder.exe
4532	@WanaDecryptor@.exe
4148	@WanaDecryptor@.exe
4148	@WanaDecryptor@.exe
4532	@WanaDecryptor@.exe
3424	@WanaDecryptor@.exe
3424	@WanaDecryptor@.exe
5208	@WanaDecryptor@.exe
5832	@WanaDecryptor@.exe
3432	@WanaDecryptor@.exe
972	@WanaDecryptor@.exe
476	@WanaDecryptor@.exe
4844	@WanaDecryptor@.exe
2392	@WanaDecryptor@.exe
3180	@WanaDecryptor@.exe
3448	WinlockerBuilderv5.exe
3448	WinlockerBuilderv5.exe
2788	WinlockerBuilderv5.exe
5844	taskmgr.exe
5612	jusched.exe
5612	jusched.exe
3960	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exewscript.exechrome.exe

description	pid	process	target process
PID 1652 wrote to memory of 4880	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 4880	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 4764	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 4764	1652	wscript.exe	wscript.exe
PID 4764 wrote to memory of 1332	4764	wscript.exe	wscript.exe
PID 4764 wrote to memory of 1332	4764	wscript.exe	wscript.exe
PID 4212 wrote to memory of 3784	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 3784	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 2176	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 5076	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 5076	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe
PID 4212 wrote to memory of 4888	4212	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5988 attrib.exe

pid	process
5988	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\GXPhmnNRPG_wynmove.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nYnEJuzswi.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4880

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GXPhmnNRPG_wynmove.js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nYnEJuzswi.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1332

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb5e24f50,0x7ffdb5e24f60,0x7ffdb5e24f70
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
2⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:8
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2756 /prefetch:8
2⤵
PID:6100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1540 /prefetch:1
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
2⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1556 /prefetch:2
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=996 /prefetch:8
2⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=840 /prefetch:1
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
2⤵
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
2⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
2⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
2⤵
PID:5976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6700 /prefetch:8
2⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:8
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6276 /prefetch:8
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6208 /prefetch:8
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6068 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:8
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1028 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
2⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3108 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
2⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8
2⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
2⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7144 /prefetch:8
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
2⤵
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:8
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:6104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1388 /prefetch:8
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
2⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
2⤵
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6700 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:8
2⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
2⤵
PID:5908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1540 /prefetch:1
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:8
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:8
2⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:8
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 /prefetch:8
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6916 /prefetch:8
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,16174682339227237417,16815217668195203039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
2⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5780

C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Host\Kurome.Host.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\Desktop\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline_2021_stealer\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4684

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4684_1420665804\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={da9457bf-6099-4d80-a2a4-ec1a30e4f499} --system
2⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\Desktop\xmrig.exe
"C:\Users\Admin\Desktop\xmrig.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Users\Admin\Desktop\configuretion.exe
"C:\Users\Admin\Desktop\configuretion.exe"
1⤵
PID:4008

C:\Users\Admin\Desktop\configuretion.exe
"C:\Users\Admin\Desktop\configuretion.exe"
2⤵
- Loads dropped DLL
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/en-in/download/details.aspx?id=44266
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf4,0x120,0x7ffdc61146f8,0x7ffdc6114708,0x7ffdc6114718
4⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
4⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 /prefetch:8
4⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
4⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
4⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 /prefetch:8
4⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
4⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,20861046239055191,15255243136204819742,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
4⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Python27\Scripts\pip.exe install pycrypto
3⤵
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Python27\Scripts\pip.exe install pyinstaller
3⤵
PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5504

C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
1⤵
PID:4624

C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:5140

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:5988

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4456

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 209041666692377.bat
2⤵
PID:3164

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
PID:4908

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:2608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zywnfqwizjcp627" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:5600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zywnfqwizjcp627" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5244

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1828

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5208

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:368

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5716

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5960

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:476

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5196

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5324

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5664

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:5844

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:2600

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:4276

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4308

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:4892

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:3364

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:5304

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:6124

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:5276

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2260

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:2392

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:1436

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:5288

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:5900

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:5696

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3524

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:6008

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:5736

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3560

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:2656

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:4592

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:6052

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:4100

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:5312

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:4392

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:344

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:4144

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe
2⤵
PID:5548

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
PID:5032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
PID:2256

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3100

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5260

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:3876

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4092

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5612

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1940

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
4⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
PID:5536

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3204

C:\Users\Admin\Desktop\Build.exe
"C:\Users\Admin\Desktop\Build.exe"
1⤵
PID:3764

C:\Windows\SysWOW64\Explorer.exe
Explorer.exe
2⤵
PID:3380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2616

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
PID:4364

C:\Users\Admin\Desktop\Build.exe
"C:\Users\Admin\Desktop\Build.exe"
2⤵
PID:1724

C:\Windows\SysWOW64\Explorer.exe
Explorer.exe
3⤵
PID:1504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Adds Run key to start application
PID:3448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4260

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
PID:5412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1748 -s 3996
2⤵
- Program crash
PID:3236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3236 -s 540
3⤵
- Program crash
PID:1460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1748 -ip 1748
1⤵
PID:5868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 3412 -ip 3412
1⤵
PID:5752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3412 -ip 3412
1⤵
PID:5220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3412 -ip 3412
1⤵
PID:1140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 440 -s 2420
2⤵
- Program crash
PID:5016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 440 -ip 440
1⤵
PID:5276

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5680

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
PID:3560

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2104

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4964 -ip 4964
1⤵
PID:1936

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1728

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3092

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1652

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2476 -s 664
2⤵
- Program crash
PID:3152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2476 -ip 2476
1⤵
PID:1672

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery