blacknet | 2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f

max time kernel
1388s
max time network
1744s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2022, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Size

307KB
MD5

0abe50c1509136bf62d2184ab439e7a5
SHA1

722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA512

0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
SSDEEP

6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

Score

10^/10

blacknet darkcomet smokeloader guest16 backdoor collection discovery persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/3476-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 540 created 6316	540	svchost.exe	327

Blocklisted process makes network request 64 IoCs

flow	pid	Process
40	1748	rundll32.exe
68	1748	rundll32.exe
155	1748	rundll32.exe
163	1748	rundll32.exe
166	1748	rundll32.exe
175	1748	rundll32.exe
181	1748	rundll32.exe
186	1748	rundll32.exe
187	1748	rundll32.exe
192	1748	rundll32.exe
198	1748	rundll32.exe
202	1748	rundll32.exe
204	1748	rundll32.exe
205	1748	rundll32.exe
206	1748	rundll32.exe
207	1748	rundll32.exe
209	1748	rundll32.exe
210	1748	rundll32.exe
211	1748	rundll32.exe
212	1748	rundll32.exe
234	1748	rundll32.exe
236	1748	rundll32.exe
238	1748	rundll32.exe
240	1748	rundll32.exe
241	1748	rundll32.exe
246	1748	rundll32.exe
248	1748	rundll32.exe
250	1748	rundll32.exe
252	1748	rundll32.exe
254	1748	rundll32.exe
255	1748	rundll32.exe
257	1748	rundll32.exe
258	1748	rundll32.exe
259	1748	rundll32.exe
261	1748	rundll32.exe
264	1748	rundll32.exe
265	1748	rundll32.exe
266	1748	rundll32.exe
267	1748	rundll32.exe
268	1748	rundll32.exe
269	1748	rundll32.exe
270	1748	rundll32.exe
282	1748	rundll32.exe
283	1748	rundll32.exe
284	1748	rundll32.exe
285	1748	rundll32.exe
286	1748	rundll32.exe
294	1748	rundll32.exe
295	1748	rundll32.exe
296	1748	rundll32.exe
298	1748	rundll32.exe
305	1748	rundll32.exe
306	1748	rundll32.exe
309	1748	rundll32.exe
310	1748	rundll32.exe
311	1748	rundll32.exe
312	1748	rundll32.exe
320	1748	rundll32.exe
321	1748	rundll32.exe
322	1748	rundll32.exe
323	1748	rundll32.exe
327	1748	rundll32.exe
328	1748	rundll32.exe
329	1748	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 56 IoCs

pid	Process
4864	158.exe
4672	2A9B.exe
3564	2A9B.exe
1448	158.exe
4872	xmrig.exe
3116	WinlockerBuilderv5.exe
4416	svshost.exe
4864	jusched.exe
4100	taskhost.exe
2768	taskhost.exe
220	svshost.exe
904	WinlockerBuilderv5.exe
1272	upx_compresser.exe
4592	upx_compresser.exe
620	software_reporter_tool.exe
2640	software_reporter_tool.exe
3108	software_reporter_tool.exe
1772	regsvr32.exe
5568	gdhehuf
6088	msedge.exe
2252	MSAGENT.EXE
5468	tv_enua.exe
6052	AgentSvr.exe
6956	BonziBDY_4.EXE
7004	AgentSvr.exe
6408	BonziKill.exe
6592	BonziKill.exe
5776	BonziKill.exe
3048	optimize.exe
1824	LimePro.exe
1848	LimePro.exe
6296	bob.exe
2912	bob.exe
1908	LimePro.exe
5628	LimePro.exe
4764	updater.exe
6460	navigator.exe
6316	navigator.exe
6504	navigator.exe
5396	xpicleanup.exe
4760	xpicleanup.exe
5940	xpicleanup.exe
960	gdhehuf
4908	Setup.exe
8172	ChromeRecovery.exe
3156	svchosts.exe
7304	WinlockerBuilderv5.exe
7068	svshost.exe
4104	jusched.exe
6280	WinlockerBuilderv5.exe
7316	upx_compresser.exe
3388	upx_compresser.exe
7092	svshost.exe
1952	WinlockerBuilderv5.exe
4780	upx_compresser.exe
1652	upx_compresser.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\turnOffNotificationInTray\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Multimedia Platform\\turnOffNotificationInTray.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\turnOffNotificationInTray\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4496-255-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/904-266-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4496-268-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/904-270-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WinlockerBuilderv5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	optimize.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	bob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WinlockerBuilderv5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	svshost.exe

Loads dropped DLL 64 IoCs

pid	Process
1748	rundll32.exe
900	svchost.exe
900	svchost.exe
1956	rundll32.exe
1956	rundll32.exe
3192	rundll32.exe
2800	rundll32.exe
1956	upx_compresser.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
3108	software_reporter_tool.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
5468	tv_enua.exe
1772	chrome.exe
1772	chrome.exe
4212	regsvr32.exe
2252	MSAGENT.EXE
5900	regsvr32.exe
5932	regsvr32.exe
5536	regsvr32.exe
5976	regsvr32.exe
5316	regsvr32.exe
4296	regsvr32.exe
6112	regsvr32.exe
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
7004	AgentSvr.exe
7004	AgentSvr.exe
7004	AgentSvr.exe
7004	AgentSvr.exe
7004	AgentSvr.exe
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
1824	LimePro.exe
1824	LimePro.exe
1824	LimePro.exe
1824	LimePro.exe
1824	LimePro.exe
1824	LimePro.exe
1908	LimePro.exe
1908	LimePro.exe
1908	LimePro.exe
1908	LimePro.exe
1908	LimePro.exe
1908	LimePro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	xpicleanup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	xpicleanup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mozilla_cleanup = "C:\\Users\\Admin\\Desktop\\BonziKill\\netscape\\xpicleanup.exe"	xpicleanup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tv_enua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mozilla_cleanup = "C:\\Users\\Admin\\Desktop\\BonziKill\\netscape\\xpicleanup.exe"	xpicleanup.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	xpicleanup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mozilla_cleanup = "C:\\Users\\Admin\\Desktop\\BonziKill\\netscape\\xpicleanup.exe"	xpicleanup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET525.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET525.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Desktop\wallpaper = "C:\\bonzi\\wave.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Desktop\wallpaper	reg.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 2800	1748	rundll32.exe	92
PID 2084 set thread context of 1956	2084	upx_compresser.exe	178
PID 4100 set thread context of 2768	4100	taskhost.exe	180
PID 1272 set thread context of 4592	1272	upx_compresser.exe	184
PID 7316 set thread context of 3388	7316	upx_compresser.exe	421
PID 4780 set thread context of 1652	4780	upx_compresser.exe	425

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page10.jpg	msedge.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Intro2.wav	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb001.gif	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t2.nbd	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BG\Bg3.bmp	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page12.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page13.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb015.gif	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\book	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page0.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page12.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page6.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\fix.bat	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\Thumbs.db	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb007.gif	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page11.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\book	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page4.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page6.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp005.gif	msedge.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCTB.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page14.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd2.wav	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page3.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page5.jpg	msedge.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\empop3.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoDirPatcher.vbs	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page5.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\s1.nbd	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb006.gif	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page5.jpg	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BG\Bg1.bmp	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSAGENTS\Peedy.acs	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP	msedge.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\widevinecdmadapter.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\AUTPRX32.DLL	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvbvm60.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif	msedge.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\emsmtp.dll	msedge.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	msedge.exe
File opened for modification	C:\Windows\INF\SET514.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET1060.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET10E4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File created	C:\Windows\msagent\SET103C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	msedge.exe
File opened for modification	C:\Windows\lhsp\help\SET502.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File created	C:\Windows\msagent\SET105F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET103B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET104E.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET500.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET1081.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET1081.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET500.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File opened for modification	C:\Windows\mozregistry.dat	xpicleanup.exe
File opened for modification	C:\Windows\msagent\SET105F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File created	C:\Windows\msagent\SET10E4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File created	C:\Windows\msagent\SET104D.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET10A3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET501.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET104E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET501.tmp	tv_enua.exe
File created	C:\Windows\lhsp\help\SET502.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET104D.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET1080.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET1080.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File created	C:\Windows\nsreg.dat	navigator.exe
File created	C:\Windows\help\SET10A3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\nsreg.dat	navigator.exe
File opened for modification	C:\Windows\mozregistry.dat	xpicleanup.exe
File opened for modification	C:\Windows\fonts\SET503.tmp	tv_enua.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET103C.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET1092.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET1093.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File created	C:\Windows\INF\SET514.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET103B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET1092.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File created	C:\Windows\fonts\SET503.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\intl\SET10B4.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET1060.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET1093.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET10B4.tmp	MSAGENT.EXE
File created	C:\Windows\mozregistry.dat	xpicleanup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
612	4864	WerFault.exe	86
4052	1448	WerFault.exe	135
6524	1824	WerFault.exe	305
8036	7856	WerFault.exe	426
7272	5968	WerFault.exe	471
6964	7212	WerFault.exe	478

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gdhehuf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6848	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	optimize.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	optimize.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\IESettingSync	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\IESettingSync	optimize.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	optimize.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EF6BEC1-E669-11CD-836C-0000C0C14E92}\TypeLib\Version = "1.0"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F7AE600-0142-11D3-9DCF-89BE4EFB591E}\ = "ICOMScript"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A981630-37C3-11CE-9E52-0000C0554C0A}\TypeLib\ = "{643F1353-1D07-11CE-9E52-0000C0554C0A}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F95-055F-11D4-8F9B-00104BA312D6}\TypeLib	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24830770-5D94-11CE-9412-0000C0C14E92}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSCalendar.SSYearCtrl.1\CLSID\ = "{368C5B10-6A0F-11CE-9425-0000C0C14E92}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F69-055F-11D4-8F9B-00104BA312D6}\TypeLib\Version = "1.4"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSPanel\CLSID\ = "{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinForm.1	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinForm.1\CLSID\ = "{972DE6C2-8B09-11D2-B652-A1FD6CC34260}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{643F1350-1D07-11CE-9E52-0000C0554C0A}\InprocServer32	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E26DD3CD-B06C-47BA-9766-5F264B858E09}\TypeLib	BonziBDY_4.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCommand\CurVer	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EF6BEC0-E669-11CD-836C-0000C0C14E92}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B}\TypeLib	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DA7E73-B94F-49A2-9FEF-9F4B40C8E221}\TypeLib	BonziBDY_4.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCheck\CLSID\ = "{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB52CF7C-3917-11CE-80FB-0000C0C14E92}\TypeLib\Version = "1.0"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2\CLSID\ = "{1EFB6596-857C-11D1-B16A-00C0F0283628}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE7-1BF9-11D2-BAE8-00104B9E0792}\TypeLib	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ = "IImageList"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792}\MiscStatus\1\ = "139665"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EF6BEC1-E669-11CD-836C-0000C0C14E92}\ = "_DSSMonthEvents"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDA1CA04-8B5D-11D0-9BC0-0000C0F04C96}\TypeLib\Version = "2.0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A45DB4B-BD0D-11D2-8D14-00104B9E072A}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComTransitions\CLSID	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}\ = "TabStrip General Property Page Object"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE0-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F96-055F-11D4-8F9B-00104BA312D6}\ProgID	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{157083E1-2368-11CF-87B9-00AA006C8166}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\VersionIndependentProgID	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CPeriod\Clsid\ = "{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1533A365-F76F-4518-8A56-4CD34547F8AB}\Control\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F}\1.1	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}\ProxyStubClsid32	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD4-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\432B4A19FC2D6B68554390D646BF6A281D7FBC45	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\432B4A19FC2D6B68554390D646BF6A281D7FBC45\Blob = 030000000100000014000000432b4a19fc2d6b68554390d646bf6a281d7fbc4520000000010000007a02000030820276308201dfa00302010202081420d0356e9fd4f5300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f626e6c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313131353231323331385a170d3234313131343231323331385a30613120301e06035504030c17446967694365727420476c6f626e6c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e66c9cedb3c47e83d4db26b1c1293caff81e02a6d94f7cb2744eec99744819aed031064f121fbaa8981019dd83e47054499838c8c74a1b2e30f63d91645f21ddee10b1e757897d74f41b12936fd58a5b709a0f9d3001e499ca1da05540e6b15b97c543e4069d3d781ddceab23842e1e6dbae53fd587a430f8a2fdefcb634684d0203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c6f626e6c20526f6f74204341300d06092a864886f70d01010b0500038181002a98a42354a81720b0ded20c7837e680a49986a70e42c38e1cac8ef4422e70c3df27182955047eae23806d5f0ee252adfcb26e2014a8ebe5a0e157710efc832e97cda9e0597615d0b07591c6c27ff1841e3c69c97bcdeeea280057998e0f325456c4b7d165b2fe448236aee0c8b99464670c4435648e702b3d2332d5eb3d60b2	rundll32.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 12 IoCs

pid	Process
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
5908	vlc.exe
6320	vlc.exe
4848	vlc.exe
2704	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3476	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
3476	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
4576	taskmgr.exe
4576	taskmgr.exe
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
4576	taskmgr.exe
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2704	Process not Found
2616	taskmgr.exe
2768	taskhost.exe
5908	vlc.exe
6320	vlc.exe
4848	vlc.exe
3488	chrome.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3476	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
2084	upx_compresser.exe
4100	taskhost.exe
1272	upx_compresser.exe
5568	gdhehuf
960	gdhehuf
7316	upx_compresser.exe
4780	upx_compresser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeDebugPrivilege	4576	taskmgr.exe
Token: SeSystemProfilePrivilege	4576	taskmgr.exe
Token: SeCreateGlobalPrivilege	4576	taskmgr.exe
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeDebugPrivilege	4672	2A9B.exe
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeDebugPrivilege	1748	rundll32.exe
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: 33	4576	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4576	taskmgr.exe
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found
Token: SeCreatePagefilePrivilege	2704	Process not Found
Token: SeShutdownPrivilege	2704	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
2704	Process not Found
2704	Process not Found
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
2704	Process not Found
4576	taskmgr.exe
2704	Process not Found
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
2704	Process not Found
4576	taskmgr.exe
2704	Process not Found
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe
4576	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
3116	WinlockerBuilderv5.exe
3116	WinlockerBuilderv5.exe
4864	jusched.exe
4864	jusched.exe
4496	WinlockerBuilderv5.exe
2768	taskhost.exe
904	WinlockerBuilderv5.exe
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
6088	msedge.exe
2252	MSAGENT.EXE
5468	tv_enua.exe
6052	AgentSvr.exe
6956	BonziBDY_4.EXE
6956	BonziBDY_4.EXE
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
2704	Process not Found
3048	optimize.exe
3048	optimize.exe
3048	optimize.exe
3048	optimize.exe
3048	optimize.exe
3048	optimize.exe
2704	Process not Found
2704	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4576	2704	Process not Found	84
PID 2704 wrote to memory of 4576	2704	Process not Found	84
PID 2704 wrote to memory of 4864	2704	Process not Found	86
PID 2704 wrote to memory of 4864	2704	Process not Found	86
PID 2704 wrote to memory of 4864	2704	Process not Found	86
PID 4864 wrote to memory of 1748	4864	158.exe	88
PID 4864 wrote to memory of 1748	4864	158.exe	88
PID 4864 wrote to memory of 1748	4864	158.exe	88
PID 2704 wrote to memory of 4672	2704	Process not Found	91
PID 2704 wrote to memory of 4672	2704	Process not Found	91
PID 1748 wrote to memory of 2800	1748	rundll32.exe	92
PID 1748 wrote to memory of 2800	1748	rundll32.exe	92
PID 1748 wrote to memory of 2800	1748	rundll32.exe	92
PID 1748 wrote to memory of 1256	1748	rundll32.exe	93
PID 1748 wrote to memory of 1256	1748	rundll32.exe	93
PID 1748 wrote to memory of 1256	1748	rundll32.exe	93
PID 1748 wrote to memory of 4828	1748	rundll32.exe	95
PID 1748 wrote to memory of 4828	1748	rundll32.exe	95
PID 1748 wrote to memory of 4828	1748	rundll32.exe	95
PID 2704 wrote to memory of 3488	2704	Process not Found	97
PID 2704 wrote to memory of 3488	2704	Process not Found	97
PID 3488 wrote to memory of 2236	3488	chrome.exe	99
PID 3488 wrote to memory of 2236	3488	chrome.exe	99
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 408	3488	chrome.exe	100
PID 3488 wrote to memory of 3484	3488	chrome.exe	101

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576

C:\Users\Admin\AppData\Local\Temp\158.exe
C:\Users\Admin\AppData\Local\Temp\158.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll,start
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1748
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 16333
    3⤵
    - Loads dropped DLL
    PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 500
  2⤵
  - Program crash
  PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4864 -ip 4864
1⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\2A9B.exe
C:\Users\Admin\AppData\Local\Temp\2A9B.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffedd0a4f50,0x7ffedd0a4f60,0x7ffedd0a4f70
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1580 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1620 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=836 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:2
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1620 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:2356
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=yE0A1ZvXvnEfDaIJLzK0RlvqrlvNmrRST44eOa3o --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
  2⤵
  - Executes dropped EXE
  PID:620
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.289.200 --initial-client-data=0x2a0,0x2a4,0x2a8,0x280,0x2ac,0x7ff781d82d20,0x7ff781d82d30,0x7ff781d82d40
    3⤵
    - Executes dropped EXE
    PID:2640
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_620_DQLNJYTOLCCKITLB" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=3164835926085181672 --mojo-platform-channel-handle=772 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3108
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_620_DQLNJYTOLCCKITLB" --sandboxed-process-id=3 --init-done-notifier=1032 --sandbox-mojo-pipe-token=2390216006077769277 --mojo-platform-channel-handle=1028
    3⤵
    PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6876 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7936 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7788 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8064 /prefetch:8
  2⤵
  PID:6848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8104 /prefetch:8
  2⤵
  PID:6680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:6844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8172 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8176 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8048 /prefetch:8
  2⤵
  PID:7124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8184 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:8
  2⤵
  PID:6332
- C:\Users\Admin\Downloads\BonziKill.exe
  "C:\Users\Admin\Downloads\BonziKill.exe"
  2⤵
  - Executes dropped EXE
  PID:6408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:6892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:6700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7388 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:6452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:7152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:6316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7652 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8064 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7520 /prefetch:8
  2⤵
  PID:6596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:6584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7476 /prefetch:8
  2⤵
  PID:6760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8152 /prefetch:8
  2⤵
  PID:6612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7772 /prefetch:8
  2⤵
  PID:7016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8368 /prefetch:1
  2⤵
  PID:6540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:7044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
  2⤵
  PID:6456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8584 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:6316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1
  2⤵
  PID:6504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8764 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6812 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8948 /prefetch:8
  2⤵
  PID:6864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9148 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:6300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9244 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  PID:6696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8780 /prefetch:1
  2⤵
  PID:6788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9592 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8584 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:1
  2⤵
  PID:7188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9368 /prefetch:1
  2⤵
  PID:7252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:1
  2⤵
  PID:7244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:7304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1120 /prefetch:8
  2⤵
  PID:7424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9556 /prefetch:8
  2⤵
  PID:7416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9780 /prefetch:8
  2⤵
  PID:7536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8236 /prefetch:8
  2⤵
  PID:7596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9904 /prefetch:8
  2⤵
  PID:7604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:7808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:7872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9376 /prefetch:1
  2⤵
  PID:7948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7264 /prefetch:8
  2⤵
  PID:8088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
  2⤵
  PID:7020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9592 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8828 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  PID:7840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3060 /prefetch:2
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,3138291000239231682,1781871120954402769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7540 /prefetch:8
  2⤵
  PID:7816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:2616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\2A9B.exe
"C:\Users\Admin\AppData\Local\Temp\2A9B.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\158.exe
"C:\Users\Admin\AppData\Local\Temp\158.exe"
1⤵
- Executes dropped EXE
PID:1448
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll,start
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 508
  2⤵
  - Program crash
  PID:4052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows multimedia platform\turnoffnotificationintray.dll",jEBMODRRS2Rh
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1448 -ip 1448
1⤵
PID:4496

C:\Users\Admin\Desktop\xmrig.exe
"C:\Users\Admin\Desktop\xmrig.exe"
1⤵
- Executes dropped EXE
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd0a4f50,0x7ffedd0a4f60,0x7ffedd0a4f70
  2⤵
  PID:3136

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3116
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:904
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        Executes dropped EXE
        
        PID:4592
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
    "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Modifies WinLogon for persistence
      Loads dropped DLL
      Adds Run key to start application
      PID:1956
    - - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4100
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2768

C:\Users\Admin\AppData\Roaming\gdhehuf
C:\Users\Admin\AppData\Roaming\gdhehuf
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5568

C:\Users\Admin\Desktop\BonziBuddy432.exe
"C:\Users\Admin\Desktop\BonziBuddy432.exe"
1⤵
PID:6088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  PID:4732
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2252
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:5900
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:5932
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:5536
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:5976
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:5316
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      PID:4296
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:6112
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:6052
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4856
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5468
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Executes dropped EXE
      PID:1772
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      PID:4212
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeeb5546f8,0x7ffeeb554708,0x7ffeeb554718
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
    3⤵
    PID:2656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
    3⤵
    PID:5868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:6284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff64c225460,0x7ff64c225470,0x7ff64c225480
      4⤵
      PID:6300
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
    3⤵
    PID:6376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
    3⤵
    PID:6632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,203370198187741274,13377714913440480165,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
    3⤵
    PID:6760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6788

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6956

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x468
1⤵
PID:7068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd0a4f50,0x7ffedd0a4f60,0x7ffedd0a4f70
  2⤵
  PID:4492

C:\Users\Admin\Downloads\BonziKill.exe
"C:\Users\Admin\Downloads\BonziKill.exe"
1⤵
- Executes dropped EXE
PID:6592

C:\Users\Admin\Desktop\BonziKill.exe
"C:\Users\Admin\Desktop\BonziKill.exe"
1⤵
- Executes dropped EXE
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd0a4f50,0x7ffedd0a4f60,0x7ffedd0a4f70
  2⤵
  PID:5972

C:\Users\Admin\Desktop\BonziKill\optimize.exe
"C:\Users\Admin\Desktop\BonziKill\optimize.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Users\Admin\Desktop\BonziKill\LimePro.exe
"C:\Users\Admin\Desktop\BonziKill\LimePro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824
- C:\Users\Admin\Desktop\BonziKill\LimePro.exe
  "C:\Program Files (x86)\LimePro\LimePro.exe"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 676
  2⤵
  - Program crash
  PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1824 -ip 1824
1⤵
PID:6504

C:\Users\Admin\Desktop\BonziKill\bob.exe
"C:\Users\Admin\Desktop\BonziKill\bob.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:6296
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bob.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bob.exe"
  2⤵
  - Executes dropped EXE
  PID:2912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BonziKill\china.wav"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BonziKill\smash.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6320

C:\Users\Admin\Desktop\BonziKill\LimePro.exe
"C:\Users\Admin\Desktop\BonziKill\LimePro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908
- C:\Users\Admin\Desktop\BonziKill\LimePro.exe
  "C:\Program Files (x86)\LimePro\LimePro.exe"
  2⤵
  - Executes dropped EXE
  PID:5628

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BonziKill\dicks.wav"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\BonziKill\bg.bat" "
1⤵
PID:5616
- C:\Windows\system32\reg.exe
  reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:7160
- C:\Windows\system32\reg.exe
  reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\bonzi\wave.jpg" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:3984
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
  2⤵
  PID:5888
- C:\Windows\system32\reg.exe
  reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:5552
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:6872

C:\Users\Admin\Desktop\BonziKill\netscape\updater.exe
"C:\Users\Admin\Desktop\BonziKill\netscape\updater.exe"
1⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe
"C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe"
1⤵
- Executes dropped EXE
PID:6460
- C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe
  "C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6316
- - C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe
    "C:\Users\Admin\Desktop\BonziKill\netscape\navigator.exe"
    3⤵
    - Executes dropped EXE
    PID:6504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:540

C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe
"C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:5396

C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe
"C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4760

C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe
"C:\Users\Admin\Desktop\BonziKill\netscape\xpicleanup.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:5940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1288
- C:\Windows\system32\fsutil.exe
  fsutil file createnew \emptshit.bat 29831828123
  2⤵
  PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd0a4f50,0x7ffedd0a4f60,0x7ffedd0a4f70
  2⤵
  PID:6540

C:\Users\Admin\AppData\Roaming\gdhehuf
C:\Users\Admin\AppData\Roaming\gdhehuf
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16995:120:7zEvent4387
1⤵
PID:5916

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\Setup.exe" & exit
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6848

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
PID:8136
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir8136_1680593678\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir8136_1680593678\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={93aca21d-deca-4fc8-8de3-3d82ba473a9a} --system
  2⤵
  - Executes dropped EXE
  PID:8172

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3156
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  PID:7304
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:7068
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      Executes dropped EXE
      PID:6280
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:7316
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        Executes dropped EXE
        
        PID:3388
- - C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\svshost.exe
      "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:7092
    - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        6⤵
        Executes dropped EXE
        
        PID:1652

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:7236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 7856 -ip 7856
1⤵
PID:8020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7856 -s 1120
1⤵
- Program crash
PID:8036

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:6968
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:7804

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:6552
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:8048

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7232
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:7592

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7196
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:7948

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:1188
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:7568

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7340
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:8084

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7280
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:2588

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7564
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:7832

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:6468

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:5380

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:6576

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7788

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:7600

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:8056
- C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
  "C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
  2⤵
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    PID:7904
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      PID:7080
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        
        PID:7416
- - C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
    3⤵
    PID:7592
  - - C:\Users\Admin\AppData\Local\Temp\svshost.exe
      "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
      4⤵
      PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
        5⤵
        
        PID:6640
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        6⤵
        
        PID:3816

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:5572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7860

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2ea4891680f14e5bb16721b88e9c9165 /t 1348 /p 3488
1⤵
PID:7404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 192 -p 5968 -ip 5968
1⤵
PID:6812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5968 -s 2896
1⤵
- Program crash
PID:7272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta66ab8c7h6e94h476dhb4e5h2a49a4bd4270
1⤵
PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffedc8746f8,0x7ffedc874708,0x7ffedc874718
  2⤵
  PID:6640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2304,12907450814991205155,10584970397088752143,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2304,12907450814991205155,10584970397088752143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  PID:8176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2304,12907450814991205155,10584970397088752143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:6860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 7212 -ip 7212
1⤵
PID:5296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7212 -s 3720
1⤵
- Program crash
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault75ba3179h697bh426cha962h46319f349f33
1⤵
PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffedc8746f8,0x7ffedc874708,0x7ffedc874718
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3639593602974259725,12755413567589926794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3639593602974259725,12755413567589926794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3639593602974259725,12755413567589926794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:760

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall
1⤵
PID:8084
- C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
  "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall -burn.unelevated BurnPipe.{B30D7364-E8A8-4CC3-977C-4438F537D7A8} {F6EC71D5-74ED-4A21-B53B-FABB1D748008} 8084
  2⤵
  PID:7372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:1472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6884

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3096

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7904

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7464

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
1⤵
PID:5284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5752
- C:\Windows\system32\net.exe
  net user /add shit shit
  2⤵
  PID:4788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add shit shit
    3⤵
    PID:8012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa383e055 /state1:0x41c64e6d
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\turnOffNotificationInTray.dll

Filesize
4.3MB

MD5
3daa5e99575602714d17271b4fdc8d01

SHA1
cf148a14cea37f244a828bd06e626055f55970da

SHA256
2b984a541155dcd4b79e4f4d081ddb661cd7b0c2fb91764ac2cb44efa6c78e27

SHA512
b3c175d2613ea3e5657e71b40100b30f3dd9896e3d80d1ed773664ca655123084495d64317757b58135bd808d63b5205a7f857c5e581be80adc561de46248118

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\turnOffNotificationInTray.dll

Filesize
4.3MB

MD5
3daa5e99575602714d17271b4fdc8d01

SHA1
cf148a14cea37f244a828bd06e626055f55970da

SHA256
2b984a541155dcd4b79e4f4d081ddb661cd7b0c2fb91764ac2cb44efa6c78e27

SHA512
b3c175d2613ea3e5657e71b40100b30f3dd9896e3d80d1ed773664ca655123084495d64317757b58135bd808d63b5205a7f857c5e581be80adc561de46248118

Download Submit
C:\ProgramData\{392362DC-8934-5464-5D27-4C0C2FAEDB8D}\Microsoft.AsyncTextService_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

Filesize
2KB

MD5
2240070d6603ab019cd125005cf38b7b

SHA1
ca96d028f51a7d5ec16630b48935f26c72794b0a

SHA256
7b3b1b641ebbda5397a11af86cb347b0f644ab439341c62b1c81d6990e6f75bc

SHA512
95c6f48f717d9103d30c31e00b7ff3a0d235693a8fffed772c0a0c39107bf3003ac84d6c78e2af566d91a88fa523dcc2c523dcc707d19fc77799832d548f330c

Download Submit
C:\ProgramData\{392362DC-8934-5464-5D27-4C0C2FAEDB8D}\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe.xml

Filesize
58KB

MD5
ca7452f3c00cc3083d549346e3726b1c

SHA1
64c6e09bffa49ef36ab0ac3a7a0d98ff944eb89a

SHA256
a8736abe4c9f3715f7f737db3437af332373204263e458978f653a1c860f088b

SHA512
1a307069368230702b9d397640e4ae16cad64958aea87437b9d0c443a43242d0e72bab932be1a5fa294138c792cdbd0752edb783afe51d253cb7502fa0bc719d

Download Submit
C:\ProgramData\{392362DC-8934-5464-5D27-4C0C2FAEDB8D}\stream.x64.en-us.hash

Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\ProgramData\{392362DC-8934-5464-5D27-4C0C2FAEDB8D}\stream.x64.en-us.man.dat

Filesize
622KB

MD5
18b7413b8d54bceff3c29565622d6e63

SHA1
cbf2e4bf2c3f65035d4060a9dcaefdc710f4e04e

SHA256
d21c0fb073320a1a17e0c9a7dc5a0346af74b6e002be4ae1a626e6f3ec0efa85

SHA512
ef0e765d41ce07b17289cbae6afe3ec90b53fc0b5f3491113988d443c00fe0dd189cd74013d3c9b36b56375958d5730afb257b99e5612cee4b3e106a1c45fd3c

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001

Filesize
40KB

MD5
4d0d4d08c9087568a5f9b8ef7f197e32

SHA1
6d97707a6ab604ec18876352f65e4cfd622225ee

SHA256
51bed5ac4ea512eb34ddb300ea7acfcb09a1256341f48b95af195cf67d9d7431

SHA512
3eb227d20eef1f17c445aa1fdbb5489c68187e4324a5f47ee216cf09cb4f6b9372707e10b4cc311175d3bb91e3e7ca557d38058d30fdadd59c8b154efb9ccc41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
f9fd348370e5c3ed31d0e92d519a9483

SHA1
bbd72ffc0573b1e70c7a34340dd0efe1af6ad68b

SHA256
317b649c6e94e14e97100fb22dbfecafc44bd68025dd343d179ed17390eb344b

SHA512
18fb70ab511548dc41d3875ac5e82852173ae28d8d4e802cdf6762a1841c88195d119de05d294720fd082506f1602dc2e8c23c640f27df47f6d740d15850b36e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004

Filesize
103KB

MD5
9542e5135791e506bf917f6b72f7ed2e

SHA1
ea14be1cc424a03691d64aadd578477e40a06d27

SHA256
4e20cde0981130378f932dbd68e84bc400a97f59c212d5dddcae26344c8fff20

SHA512
69cfc0d85d2be56748b6669b48db5bd20b95a590a7e4681a267ca230f723b39689f3505592b7dc15730ed848c2779457fefd51fed325b15934577d9ab83d150a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b

Filesize
35KB

MD5
d8c2d11466c0d9caa6887845f7ce9980

SHA1
89730924a38bc125b4534e36e4415c02a07d58fb

SHA256
fe544bc14dc8d0655fd8d865a5a6e11f4605858d16dc4febbf9b20f01e9f4c42

SHA512
7052d861ac5c8866dd27d3f751019ac8a6f84e6f9c45a9e7ac5df349413f4a52d58fad38711f03696f214f276edb8e0badac5a27abf4e9565766614e076b8745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d

Filesize
190KB

MD5
4bd400e19bcfa1625db537a416f487a9

SHA1
27a3019cf0d9eb9180f36cd63384ce3024325ad5

SHA256
dfc0c96526bfdbdb0a23981207fcdbaa9614faae9afbd5a59b1e0d73300d0cc6

SHA512
6488e727b5703ac907397fbec7c3db8ddbda8f1c471ce21443338b908018d47bee1a76f14f797968c48bc4cb320bc66ea72cce78187be6cce6ea71be8ffa27b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e

Filesize
94KB

MD5
1a695566e525594266df64530ead4691

SHA1
42ed8ec02c3ee5cee64dce9df3aa9bcc43dac912

SHA256
e9ae493d2ce94061cdf2f5ac046cf0bfbbe10a89f73b53cd6d26b6b79a58ec69

SHA512
21507643d622625e37fb1556e66164e0e68a34427dc83a323f0ea6599d6d6f89d2f3ed1fa6e65a09947466db1c8a4247e598caab4e3ada83c4608036ccb33902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012

Filesize
349KB

MD5
6402de7ed2683ccc2430bb7544718c2c

SHA1
0fef2797273ed1e93358b39d39c6728bfd38a9e5

SHA256
62baf2c14861876f27916481c3d4cc71912943a59fae4427fb0760fdcb57892e

SHA512
ce463c827ad3d6eb314ff3bf0b836612f832dad859358c6a359f82a8e545f32c02aa93f9add52afc25ae2b750077a761906cbc2ffa28cc5afea577cfb9480850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1b64707f4900a06e_0

Filesize
1.2MB

MD5
ec8ff7a9cbde46e07ffdae437283792b

SHA1
5275b7e03e36c7255c45639b515be23ab3ea4361

SHA256
9f02d64f7a7a9e24f7523f15466de912bd002de17949be2a02ea04b9c284f9e4

SHA512
643eb7ae7952350cf0ffa197dbb6f826a0a1716acee5a6145fb54e724aa1199793dba6a95070477646c6a3e2e90f1e7f6a874454fdb5890deb82b41034638ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\335357a7c544c3bd_0

Filesize
276B

MD5
5f9e82c15c9e9532f3f37499323c73a0

SHA1
93ddb47240d239963ca0be765893db9e86001129

SHA256
02200ab4cf900a28349c73a24987b1c68f1f47f6af47b4061a82928d6abf538b

SHA512
83e6e0323d3f75c36eb4f4b81bd2008a3c1b302b38723a45583b4d38a689293ffba5ad34d68d70610233f90afe9e9abb643c946fd113a43b11c0a524dac18626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\77c7587d2b9c27d9_0

Filesize
259B

MD5
1145c455872f35c2a6e2a5549612b7df

SHA1
1164a67bcda244e3789e21d103fb6cdf5030167d

SHA256
f5c473c3a2ad1c0286d468ef44bdd56a22fde1cee96972ab5363390e75e2506a

SHA512
4fcfc2b75f94bf6fad6b88240293121e7f5fc202e4d29c5289e6bf617b2afcfd90aee5d44377e0a396cc8c9e8e9daa413fe9199752a66a793b93045e8a892553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ab92591335b8d160_0

Filesize
48KB

MD5
2fd5e8b8dc53c29d08314eba30ecc5ff

SHA1
663d4e88f728038a2601504d192335fefbee1c50

SHA256
d6758f8749634249b2bf1b0d7d7ccaf568abbf4ed106bf58488f108511e070a5

SHA512
74d7f976cc5c2fe7c4c41b18ca21aa9ca953521a1f1193d7175372c374f2a968ee60dd7e5494c9fc88a137e85a71527b59f7f1f323dabda67cd77486cdd02df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d540531670b4ee32_0

Filesize
2KB

MD5
9dfca786be4b8a18e669bf963f5a8054

SHA1
a01a22b9397b65b23481237112008568b776ee20

SHA256
40c89193f2c8166d8666b29f7568cb95387d16ba75be25402d2c5d7042049b30

SHA512
f2a2d5cbb6380f8aee5e38e0332ce5b4ccecb6d73bd7c8fa48644debc2e08a2e76b7977c291ca443ce5f242733a55a2c0c711ad50d38cd96a222c6000e6ffbba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\dde3f08681eddc1f_0

Filesize
284KB

MD5
fe06d0563b61e61f75f2108da750b096

SHA1
520b6198cb4a7212ddc97a85754b59612d38d2d0

SHA256
83f158b35d5febb0fab782eb496e64e4dc6b84dd9d0a95b5dd8f761032021f34

SHA512
b42582e262f6ef4f1c9cbe093ce5f8f3b27447498d9113b4485198fe90b25b919e3031f0046d6785aafad1a64c6b9be92fc19321500c60200dae41535a4486f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f20da569379a6d4d_0

Filesize
338B

MD5
83cfb9bc162c78b8206981f9efcf7089

SHA1
3cbbda943e09fe228991f19692ad9f2dc806c2cc

SHA256
c0da7ad770249c2d06204d22b675bcedc080650ae3e25bacadaf41e396ade8f4

SHA512
c21d5cada9dd75fe73a0183085c1a874dca75e9f23f9fa514a8b99141b4132467a517b7bbddf0243ce3e53431ebb6998fba4ee33f2a49521d1962bbd50c04c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f723c9cd0bbdc92e_0

Filesize
232B

MD5
e16a8f11fdbd64665d3b3007bb41667d

SHA1
4da2f53b59c7e7f5dc4a4cce0b4501d3fb86a3dc

SHA256
1b4883225d25a7c9a1be6b25963316cabe15b9f3169ea71bf8e10d535ee84a13

SHA512
1e4372fb836c0bd830b404990e5a79ddef639334f92be04c19f57cfd170a59e513873469b506fabdc2e19d27e80f35bed2b4d04e5f536b05587969ce55a07a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fcfd18cd971c2423_0

Filesize
353B

MD5
783f4f6875fbd56c1a88bd3de49a6728

SHA1
7100f8ba72b818ae02d08ac43f6f4c49081959b7

SHA256
6bd72dd5f50e54846fe763534ea984defe7cc8a635fd9101cfc0247d17bb7d51

SHA512
2ad6d5041415a57a02ee7bb904cc2490dbdcc25dd633cd78dc1ee8ba1cc01778fd7dd444ba88f05d2811a03be983826c548f474a41716eb426a6b27bd7a3ca56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
871304fd5894f61d78a754caf7291ba6

SHA1
1bd24e01db5f32c6aa3b7f1932c1e8aff38661a5

SHA256
ed83186544ab6e542a2f6d693b2fffe7daccfd9d7a399204f37c0950d742f868

SHA512
cf2182d191f339f048d9c5b4598ae872c45d1171eee6cc6ca14dc8431c52d4014b19f15638315111e5db910b78a497893a54a7590d83a4169bf6fff7806a136d

Download Submit
C:\Users\Admin\AppData\Local\Temp\158.exe

Filesize
2.9MB

MD5
17523fca121844dd1f3d74be1cf1129c

SHA1
8b6dc55933aaa24ddb6cd787bcdf7673cabe6f35

SHA256
72550ba54a833fdb45aa8c316c1ed2a34d953d0e2c570c4dd4cadaffd5e283b9

SHA512
f9df7a1faeec6d9fd10f90a03ecdf9b3e7dacfdf6d31515b9447e13e824357e4421f4344e88c573a2174c35065f9267c03ec2ad0de74a4464fa9c23ec7ee2d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\158.exe

Filesize
2.9MB

MD5
17523fca121844dd1f3d74be1cf1129c

SHA1
8b6dc55933aaa24ddb6cd787bcdf7673cabe6f35

SHA256
72550ba54a833fdb45aa8c316c1ed2a34d953d0e2c570c4dd4cadaffd5e283b9

SHA512
f9df7a1faeec6d9fd10f90a03ecdf9b3e7dacfdf6d31515b9447e13e824357e4421f4344e88c573a2174c35065f9267c03ec2ad0de74a4464fa9c23ec7ee2d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\158.exe

Filesize
2.9MB

MD5
17523fca121844dd1f3d74be1cf1129c

SHA1
8b6dc55933aaa24ddb6cd787bcdf7673cabe6f35

SHA256
72550ba54a833fdb45aa8c316c1ed2a34d953d0e2c570c4dd4cadaffd5e283b9

SHA512
f9df7a1faeec6d9fd10f90a03ecdf9b3e7dacfdf6d31515b9447e13e824357e4421f4344e88c573a2174c35065f9267c03ec2ad0de74a4464fa9c23ec7ee2d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A9B.exe

Filesize
22KB

MD5
8196b9fbb388e65dc0ce26e56486d4a4

SHA1
1222abc0cd08af3c8d4de122fd1a41ba8f342e49

SHA256
0cee42585a34f294e2859031ba36fdca5583c2ab4a29ccd91a21325d9f08c3d6

SHA512
0cdb2ba0936b9fdbcc05d2e5b4c9567797223cbc40477ba506afe8bd13c489cf3db31f30f06831693f5e578d062fc3767e57ec7fea644546bafead557e5b4e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A9B.exe

Filesize
22KB

MD5
8196b9fbb388e65dc0ce26e56486d4a4

SHA1
1222abc0cd08af3c8d4de122fd1a41ba8f342e49

SHA256
0cee42585a34f294e2859031ba36fdca5583c2ab4a29ccd91a21325d9f08c3d6

SHA512
0cdb2ba0936b9fdbcc05d2e5b4c9567797223cbc40477ba506afe8bd13c489cf3db31f30f06831693f5e578d062fc3767e57ec7fea644546bafead557e5b4e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A9B.exe

Filesize
22KB

MD5
8196b9fbb388e65dc0ce26e56486d4a4

SHA1
1222abc0cd08af3c8d4de122fd1a41ba8f342e49

SHA256
0cee42585a34f294e2859031ba36fdca5583c2ab4a29ccd91a21325d9f08c3d6

SHA512
0cdb2ba0936b9fdbcc05d2e5b4c9567797223cbc40477ba506afe8bd13c489cf3db31f30f06831693f5e578d062fc3767e57ec7fea644546bafead557e5b4e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll

Filesize
4.3MB

MD5
846f679061c0eeb9f0033f7bd63896f0

SHA1
995c86bc4fdadd1319b82828bab69f5912f5443d

SHA256
208322468666d05914db7d9992d23dec65f8058c296ecb51e6f3d406408cedee

SHA512
f4dcc82f95cab4020a0c5c5b19fd62f422ce3ed2dd9be9662b36d8b96179bbb8b650ec1fe47dd6876d61233e404f7a78cc6fda1ace02122c14900b7123d7ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll

Filesize
4.3MB

MD5
846f679061c0eeb9f0033f7bd63896f0

SHA1
995c86bc4fdadd1319b82828bab69f5912f5443d

SHA256
208322468666d05914db7d9992d23dec65f8058c296ecb51e6f3d406408cedee

SHA512
f4dcc82f95cab4020a0c5c5b19fd62f422ce3ed2dd9be9662b36d8b96179bbb8b650ec1fe47dd6876d61233e404f7a78cc6fda1ace02122c14900b7123d7ab11

Download Submit
C:\Users\Admin\Downloads\xmrig-6.18.1-gcc-win64.zip

Filesize
3.2MB

MD5
16c3e41cd12f92df3b195ed78d3a263b

SHA1
91a05ed3b43ef7c8555b4c23bfeef038a16cf588

SHA256
e12abacd392970ecd60e3ef32eaad5d17377b29be257ef2a2a1bd4cd2eda6176

SHA512
56cf12f8f061348de2e0dad899df2466b17541396887077c0d0fd58eabb883a88a24c6f081d8dd874ddb0115e92b81ca02db2a56e61975d3567443ed8ded1e7d

Download Submit
\??\c:\program files (x86)\windows multimedia platform\turnoffnotificationintray.dll

Filesize
4.3MB

MD5
3daa5e99575602714d17271b4fdc8d01

SHA1
cf148a14cea37f244a828bd06e626055f55970da

SHA256
2b984a541155dcd4b79e4f4d081ddb661cd7b0c2fb91764ac2cb44efa6c78e27

SHA512
b3c175d2613ea3e5657e71b40100b30f3dd9896e3d80d1ed773664ca655123084495d64317757b58135bd808d63b5205a7f857c5e581be80adc561de46248118

Download Submit
memory/900-216-0x0000000002460000-0x0000000002FEC000-memory.dmp

Filesize
11.5MB

Download
memory/900-187-0x0000000001900000-0x0000000001D51000-memory.dmp

Filesize
4.3MB

Download
memory/900-188-0x0000000001900000-0x0000000001D51000-memory.dmp

Filesize
4.3MB

Download
memory/900-215-0x0000000002460000-0x0000000002FEC000-memory.dmp

Filesize
11.5MB

Download
memory/900-217-0x0000000002460000-0x0000000002FEC000-memory.dmp

Filesize
11.5MB

Download
memory/900-239-0x0000000001900000-0x0000000001D51000-memory.dmp

Filesize
4.3MB

Download
memory/900-241-0x0000000002460000-0x0000000002FEC000-memory.dmp

Filesize
11.5MB

Download
memory/904-270-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/904-266-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1448-212-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1448-210-0x0000000002562000-0x0000000002825000-memory.dmp

Filesize
2.8MB

Download
memory/1448-218-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1748-163-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-160-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-156-0x00000000038B0000-0x000000000443C000-memory.dmp

Filesize
11.5MB

Download
memory/1748-155-0x00000000038B0000-0x000000000443C000-memory.dmp

Filesize
11.5MB

Download
memory/1748-158-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-153-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1748-159-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-157-0x00000000038B0000-0x000000000443C000-memory.dmp

Filesize
11.5MB

Download
memory/1748-161-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-162-0x0000000004540000-0x0000000004680000-memory.dmp

Filesize
1.2MB

Download
memory/1748-146-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1748-170-0x00000000038B0000-0x000000000443C000-memory.dmp

Filesize
11.5MB

Download
memory/1824-380-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-375-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-373-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-393-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-394-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-395-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-385-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-370-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-369-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-391-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-386-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-387-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-390-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-368-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-392-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-353-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-367-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-372-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-374-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-359-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-360-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-361-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-362-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-363-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-371-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-389-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-384-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-388-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-383-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-382-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-381-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-376-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-379-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-378-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-377-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-365-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-364-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1824-366-0x000000007FC70000-0x000000007FE4A000-memory.dmp

Filesize
1.9MB

Download
memory/1956-221-0x0000000002BF0000-0x000000000377C000-memory.dmp

Filesize
11.5MB

Download
memory/1956-220-0x0000000002BF0000-0x000000000377C000-memory.dmp

Filesize
11.5MB

Download
memory/1956-213-0x00000000020A0000-0x00000000024F1000-memory.dmp

Filesize
4.3MB

Download
memory/1956-228-0x0000000002BF0000-0x000000000377C000-memory.dmp

Filesize
11.5MB

Download
memory/1956-214-0x00000000020A0000-0x00000000024F1000-memory.dmp

Filesize
4.3MB

Download
memory/1956-227-0x00000000020A0000-0x00000000024F1000-memory.dmp

Filesize
4.3MB

Download
memory/1956-259-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2084-257-0x00000000020C0000-0x00000000020C9000-memory.dmp

Filesize
36KB

Download
memory/2768-262-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2768-272-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2800-165-0x00000150D5900000-0x00000150D5A40000-memory.dmp

Filesize
1.2MB

Download
memory/2800-168-0x00000150D3EB0000-0x00000150D4153000-memory.dmp

Filesize
2.6MB

Download
memory/2800-167-0x0000000000BA0000-0x0000000000E32000-memory.dmp

Filesize
2.6MB

Download
memory/2800-166-0x00000150D5900000-0x00000150D5A40000-memory.dmp

Filesize
1.2MB

Download
memory/3108-291-0x0000023EF0FD0000-0x0000023EF1010000-memory.dmp

Filesize
256KB

Download
memory/3108-287-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-280-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-281-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-282-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-283-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-285-0x0000023EF0FD0000-0x0000023EF1010000-memory.dmp

Filesize
256KB

Download
memory/3108-284-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-286-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-293-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-288-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-289-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-290-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3108-292-0x0000023EF0F90000-0x0000023EF0FD0000-memory.dmp

Filesize
256KB

Download
memory/3116-251-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/3116-250-0x00007FFEC6290000-0x00007FFEC6CC6000-memory.dmp

Filesize
10.2MB

Download
memory/3192-236-0x00000000032D0000-0x0000000003E5C000-memory.dmp

Filesize
11.5MB

Download
memory/3192-229-0x00000000032D0000-0x0000000003E5C000-memory.dmp

Filesize
11.5MB

Download
memory/3192-222-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/3192-235-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/3192-230-0x00000000032D0000-0x0000000003E5C000-memory.dmp

Filesize
11.5MB

Download
memory/3476-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3476-135-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3476-134-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3476-132-0x0000000000B22000-0x0000000000B37000-memory.dmp

Filesize
84KB

Download
memory/3564-237-0x00007FFEDA810000-0x00007FFEDB2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-181-0x00007FFEDA810000-0x00007FFEDB2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-268-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4496-255-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4592-269-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4672-151-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/4672-152-0x00007FFEDA810000-0x00007FFEDB2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-154-0x00007FFEDA810000-0x00007FFEDB2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-141-0x00000000027A0000-0x0000000002AA1000-memory.dmp

Filesize
3.0MB

Download
memory/4864-254-0x00007FFEC6290000-0x00007FFEC6CC6000-memory.dmp

Filesize
10.2MB

Download
memory/4864-147-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4864-258-0x000000000197A000-0x000000000197F000-memory.dmp

Filesize
20KB

Download
memory/4864-142-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4864-140-0x00000000024CE000-0x0000000002791000-memory.dmp

Filesize
2.8MB

Download
memory/4864-271-0x000000000197A000-0x000000000197F000-memory.dmp

Filesize
20KB

Download
memory/4864-273-0x000000000197A000-0x000000000197F000-memory.dmp

Filesize
20KB

Download
memory/4872-244-0x0000026CB0760000-0x0000026CB07A0000-memory.dmp

Filesize
256KB

Download
memory/4872-243-0x0000026CB0720000-0x0000026CB0740000-memory.dmp

Filesize
128KB

Download
memory/4872-245-0x0000026CB07A0000-0x0000026CB07C0000-memory.dmp

Filesize
128KB

Download
memory/4872-246-0x0000026CB07C0000-0x0000026CB07E0000-memory.dmp

Filesize
128KB

Download
memory/4872-247-0x0000026CB07A0000-0x0000026CB07C0000-memory.dmp

Filesize
128KB

Download
memory/4872-248-0x0000026CB07C0000-0x0000026CB07E0000-memory.dmp

Filesize
128KB

Download