amadey | ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5B47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2AE8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NAV-ESD-22.20.5.39-EN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2C7F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2AE8.exe

Loads dropped DLL 64 IoCs

pid	Process
2672	regsvr32.exe
2672	regsvr32.exe
5584	rundll32.exe
4732	build2.exe
4732	build2.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
1740	coInst.exe
1740	coInst.exe
1740	coInst.exe
1668	EFAInst64.exe
1668	EFAInst64.exe
1668	EFAInst64.exe
5588	ELAMInst.exe
5588	ELAMInst.exe
5588	ELAMInst.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4732	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC = "\"C:\\PROGRA~2\\NORTON~1\\{0C55C~1\\NGC\\562C4DD5\\22205~1.39\\InstStub.exe\" /RELAUNCH /RUNONCE /PRODID NGC"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC\MEDIA = "C:\\Users\\Admin\\Downloads\\NAV-ESD-22.20.5.39-EN.exe"	NAV-ESD-22.20.5.39-EN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC = "\"C:\\PROGRA~2\\NORTON~1\\{0C55C~1\\NGC\\562C4DD5\\22205~1.39\\InstStub.exe\" /RELAUNCH /RUNONCE /NOPROMPT /PRODID NGC"	NAV-ESD-22.20.5.39-EN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fa96cd4c-0338-45c0-b0c0-e4237608920c\\2AE8.exe\" --AutoStart"	2AE8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json	5B47.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security\desktop.ini	NAV-ESD-22.20.5.39-EN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NortonSecurity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NortonSecurity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NAV-ESD-22.20.5.39-EN.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1068	api.2ip.ua
1151	api.2ip.ua
1165	api.2ip.ua
987	api.2ip.ua
1097	api.2ip.ua
1134	api.2ip.ua
1175	api.2ip.ua
1096	api.2ip.ua
31	api.2ip.ua
988	api.2ip.ua
1152	api.2ip.ua
1166	api.2ip.ua
1176	api.2ip.ua
27	api.2ip.ua

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_DFD3E0F75C6A3CFC3271FE2C5C19E838	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_5BFB72FAE1BB9D1928D1C5C92F52E8EA	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_5BFB72FAE1BB9D1928D1C5C92F52E8EA	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F234AF16A662E2448E049CAD14C6D675	NortonSecurity.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	NortonSecurity.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	Sevntx64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	Sevntx64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_DFD3E0F75C6A3CFC3271FE2C5C19E838	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F7788E201A03EF5036E7C8BF55432CB_BDA62707BA70CB0111D9E81215C5BF30	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F7788E201A03EF5036E7C8BF55432CB_BDA62707BA70CB0111D9E81215C5BF30	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F234AF16A662E2448E049CAD14C6D675	NortonSecurity.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 4264	4828	2AE8.exe	96
PID 228 set thread context of 4756	228	5B47.exe	108
PID 4456 set thread context of 5668	4456	2AE8.exe	142
PID 4720 set thread context of 4732	4720	build2.exe	174
PID 4444 set thread context of 3620	4444	2AE8.exe	407
PID 4996 set thread context of 2848	4996	2AE8.exe	469
PID 1816 set thread context of 4764	1816	2AE8.exe	496
PID 6028 set thread context of 1272	6028	2AE8.exe	530
PID 5428 set thread context of 5156	5428	2AE8.exe	549
PID 5172 set thread context of 5248	5172	2AE8.exe	570
PID 5084 set thread context of 660	5084	2AE8.exe	587

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-BEEF-4E6D-AEE1-2C53200DE57E}.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\sw.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\MSVCP140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\SymEFA.grd	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\19\01	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\am.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\cctFW.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\coFeatSv.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\en-GB.pak.info	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\tr.pak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\04\01\InsBrand.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\13\01\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\MUI\22.20.5.39\IMAGES\icon_metrotoaster_image_risk.png	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\IPSDefs\20200717.500\v.grd	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\Iron.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\coIDSafe.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Branding\22.20.5.39\15\01\muis.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\04\02	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\FFPrefs.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\virscan1.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\ccGLog.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\QStartUI.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhspauth.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\uiMetroN.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\MClnTask.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\SDKCmn.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\SDKCmn.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\STICDefs\20190827.078\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\11\01\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\ms.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{D418C996-433A-42df-8D3C-E1A24C0AD3C0}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\coNatHst.exe	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\srtspx64.cat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\07\01\InsBrand.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\pl.pak.info	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\catalog.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\disseq.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\IPSDefs\definfo.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\06\01\InsMUI.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\SEF.grd	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\14\01\InsMUI.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{64A1EE4A-948D-4bd0-A3E6-9D6BF96DF72A}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\WebProtectionDefs\20100430.009\virscan1.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\NAVPatch.sig	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\msvcp140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\virscan9.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{65190544-26C3-43a4-A78A-694964901607}.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{A6AC491F-0711-4D5A-8612-F085B49B1AE1}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-6BF6-4E6D-AEE1-2C53200DE57E}.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{D49714FD-DF22-4124-9FC2-D059ACABE7E1}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\vccorlib140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\nl.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\sl.pak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\ta.pak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\hp_1.idx	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\concrt140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\WebProtectionDefs\definfo.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\virscan5.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-6BF6-4E6D-AEE1-2C53200DE57E}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\MUI\22.20.5.39\09\01\ncwRes.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\disconf.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhscda.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhsprule.dat	NAV-ESD-22.20.5.39-EN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 53 IoCs

pid	pid_target	Process	procid_target
984	3068	WerFault.exe	88
3616	4896	WerFault.exe	82
2800	2412	WerFault.exe	83
3668	3172	WerFault.exe	87
5052	4828	WerFault.exe	123
5976	2188	WerFault.exe	157
5096	5496	WerFault.exe	164
5664	2024	WerFault.exe	182
2012	1156	WerFault.exe	191
2312	4676	WerFault.exe	199
2804	3016	WerFault.exe	232
6024	4152	WerFault.exe	258
5404	2364	WerFault.exe	260
4004	5076	WerFault.exe	331
220	3712	WerFault.exe	364
2672	4816	WerFault.exe	374
4164	5952	WerFault.exe	394
1112	5364	WerFault.exe	400
5264	1704	WerFault.exe	435
1008	1156	WerFault.exe	447
3260	1316	WerFault.exe	451
5752	4592	WerFault.exe	458
2372	224	WerFault.exe	463
5436	1272	WerFault.exe	462
3488	508	WerFault.exe	471
4252	3056	WerFault.exe	475
3560	812	WerFault.exe	478
4536	1992	WerFault.exe	482
1160	5048	WerFault.exe	487
4768	1572	WerFault.exe	498
4768	4976	WerFault.exe	510
5604	5176	WerFault.exe	515
1948	5992	WerFault.exe	519
1120	3296	WerFault.exe	523
3916	3580	WerFault.exe	524
1892	5960	WerFault.exe	531
3844	3968	WerFault.exe	534
3472	812	WerFault.exe	539
396	3964	WerFault.exe	542
1064	2828	WerFault.exe	545
1652	5548	WerFault.exe	550
5764	2592	WerFault.exe	553
5136	5356	WerFault.exe	556
4428	2764	WerFault.exe	559
4468	5368	WerFault.exe	563
1448	5244	WerFault.exe	564
2264	5516	WerFault.exe	571
5096	1428	WerFault.exe	574
5700	3104	WerFault.exe	577
3532	3316	WerFault.exe	580
3716	5636	WerFault.exe	583
3652	4788	WerFault.exe	588
1060	4508	WerFault.exe	591

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4352	schtasks.exe
1476	schtasks.exe
2372	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4688	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\AppPath = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	NortonSecurity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NortonSecurity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B59987EA-25FE-44B4-8802-E4DE67073D8C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B59987EA-25FE-44B4-8802-E4DE67073D8C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Policy = "3"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\AppName = "symerr.exe"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.BuPropertySheet\CLSID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayPending	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\Programmable	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEE5EE11-10B4-4531-B306-1C3546BD5F42}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2EF276A-4D20-44E9-B9D2-29F129EB826B}\1.0\0\win64\ = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39\\buShell.dll"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\ = "BUContextMenu Class"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\InprocServer32\ = "C:\\Program Files\\Norton Security\\Engine32\\22.20.5.39\\buShell.dll"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C884BB9C-39DE-43A1-8480-B7E2FC5C77C6}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8933BDBF-DADC-44c3-BA6D-F944EBF16362}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayExcluded\CurVer\ = "BackupShell.OverlayExcluded.1"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayProtected	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ = "IOverlayPending"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}\ = "ICatalogSetFolderEnumIDListImpl"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F6A750A-637E-43FE-8E8C-CD8CC52AFCF0}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}\ = "IOutlookPlug"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{96237786-C89D-4504-837A-A3BA2C29524D}\InProcServer32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B59987EA-25FE-44B4-8802-E4DE67073D8C}\ProgID\ = "BackupShell.BuPropertySheet"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E3A5D7-80C7-4228-90FE-61DF01C417A5}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2EF276A-4D20-44E9-B9D2-29F129EB826B}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayExcluded.1	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayPending\CLSID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C884BB9C-39DE-43A1-8480-B7E2FC5C77C6}\TypeLib\ = "{C2EF276A-4D20-44E9-B9D2-29F129EB826B}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\InprocServer32	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SymDgnHc.exe	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NortonLifeLock.Norton.Antivirus.IEContextMenu	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\NortonSecurity.exe	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Programmable	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F6A750A-637E-43FE-8E8C-CD8CC52AFCF0}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13C7C55-93E5-48ca-A5E5-E6564089CAB0}\VersionIndependentProgID\ = "SymDgnHC.SymDiagHelper"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MsouPlug.OutlookPlug.1	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96237786-C89D-4504-837A-A3BA2C29524D}\ = "SymAmsiProvider"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA091DCE-F3CA-4ECC-A18D-B1F1871A4690}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}\InfoTip = "@C:\\Program Files\\Norton Security\\Branding\\muis.dll,-116"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\VersionIndependentProgID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B69B6ACA-155C-41D0-BC90-4857239731A4}\ = "INortonDriveContextMenuImpl"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09D32393-10DA-4eca-91AA-AD11C69DB966}\InprocServer32\ = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39\\McStatus.dll"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD5F89EE-9C85-4D42-B366-919387500641}\1.0\0\win32	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\BuPropertySheet	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\VersionIndependentProgID\ = "BackupShell.OverlayProtected"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\InprocServer32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\TypeLib\ = "{C2EF276A-4D20-44E9-B9D2-29F129EB826B}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MsouPlug.OutlookPlug\CurVer\ = "MsouPlug.OutlookPlug.1"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09D32393-10DA-4eca-91AA-AD11C69DB966}\InprocServer32\ThreadingModel = "Apartment"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEE5EE11-10B4-4531-B306-1C3546BD5F42}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13C7C55-93E5-48ca-A5E5-E6564089CAB0}\LocalServer32\ThreadingModel = "Free"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.BuPropertySheet\ = "BuPropertySheet Class"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}	NAV-ESD-22.20.5.39-EN.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
980	Process not Found
5292	taskmgr.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
644	Process not Found
644	Process not Found
644	Process not Found

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
1940	34FD.exe
3200	477D.exe
2176	wtgbrtj
2764	wtgbrtj
5040	wtgbrtj
1752	wtgbrtj

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
2408	chrome.exe
4304	msedge.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
4304	msedge.exe
2408	chrome.exe
980	Process not Found
980	Process not Found
4304	msedge.exe
980	Process not Found
4304	msedge.exe
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
2408	chrome.exe
4304	msedge.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
980	Process not Found
980	Process not Found
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
980	Process not Found
4500	NAV-ESD-22.20.5.39-EN.exe
4020	NortonSecurity.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 4828	980	Process not Found	81
PID 980 wrote to memory of 4828	980	Process not Found	81
PID 980 wrote to memory of 4828	980	Process not Found	81
PID 980 wrote to memory of 4896	980	Process not Found	82
PID 980 wrote to memory of 4896	980	Process not Found	82
PID 980 wrote to memory of 4896	980	Process not Found	82
PID 980 wrote to memory of 2412	980	Process not Found	83
PID 980 wrote to memory of 2412	980	Process not Found	83
PID 980 wrote to memory of 2412	980	Process not Found	83
PID 980 wrote to memory of 1940	980	Process not Found	84
PID 980 wrote to memory of 1940	980	Process not Found	84
PID 980 wrote to memory of 1940	980	Process not Found	84
PID 980 wrote to memory of 3200	980	Process not Found	85
PID 980 wrote to memory of 3200	980	Process not Found	85
PID 980 wrote to memory of 3200	980	Process not Found	85
PID 980 wrote to memory of 3068	980	Process not Found	88
PID 980 wrote to memory of 3068	980	Process not Found	88
PID 980 wrote to memory of 3068	980	Process not Found	88
PID 980 wrote to memory of 3172	980	Process not Found	87
PID 980 wrote to memory of 3172	980	Process not Found	87
PID 980 wrote to memory of 3172	980	Process not Found	87
PID 980 wrote to memory of 4104	980	Process not Found	89
PID 980 wrote to memory of 4104	980	Process not Found	89
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	90
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	90
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	90
PID 980 wrote to memory of 228	980	Process not Found	98
PID 980 wrote to memory of 228	980	Process not Found	98
PID 980 wrote to memory of 228	980	Process not Found	98
PID 980 wrote to memory of 3996	980	Process not Found	91
PID 980 wrote to memory of 3996	980	Process not Found	91
PID 980 wrote to memory of 3996	980	Process not Found	91
PID 980 wrote to memory of 3996	980	Process not Found	91
PID 4896 wrote to memory of 4100	4896	2C7F.exe	92
PID 4896 wrote to memory of 4100	4896	2C7F.exe	92
PID 4896 wrote to memory of 4100	4896	2C7F.exe	92
PID 980 wrote to memory of 380	980	Process not Found	97
PID 980 wrote to memory of 380	980	Process not Found	97
PID 980 wrote to memory of 380	980	Process not Found	97
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4828 wrote to memory of 4264	4828	2AE8.exe	96
PID 4100 wrote to memory of 1476	4100	rovwer.exe	104
PID 4100 wrote to memory of 1476	4100	rovwer.exe	104
PID 4100 wrote to memory of 1476	4100	rovwer.exe	104
PID 4264 wrote to memory of 4732	4264	2AE8.exe	107
PID 4264 wrote to memory of 4732	4264	2AE8.exe	107
PID 4264 wrote to memory of 4732	4264	2AE8.exe	107
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108
PID 228 wrote to memory of 4756	228	5B47.exe	108

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
"C:\Users\Admin\AppData\Local\Temp\ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2012

C:\Users\Admin\AppData\Local\Temp\2AE8.exe
C:\Users\Admin\AppData\Local\Temp\2AE8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\2AE8.exe
  C:\Users\Admin\AppData\Local\Temp\2AE8.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\2AE8.exe
    "C:\Users\Admin\AppData\Local\Temp\2AE8.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\2AE8.exe
      "C:\Users\Admin\AppData\Local\Temp\2AE8.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Modifies extensions of user files
      Checks computer location settings
      PID:5668
    - - C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe
        
        "C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4720
      - C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe
        
        "C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe" & exit
        7⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build3.exe
        
        "C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:4880
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2372

C:\Users\Admin\AppData\Local\Temp\2C7F.exe
C:\Users\Admin\AppData\Local\Temp\2C7F.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:1476
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - outlook_win_path
    PID:5584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1140
  2⤵
  - Program crash
  PID:3616

C:\Users\Admin\AppData\Local\Temp\2F11.exe
C:\Users\Admin\AppData\Local\Temp\2F11.exe
1⤵
- Executes dropped EXE
PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 444
  2⤵
  - Program crash
  PID:2800

C:\Users\Admin\AppData\Local\Temp\34FD.exe
C:\Users\Admin\AppData\Local\Temp\34FD.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1940

C:\Users\Admin\AppData\Local\Temp\477D.exe
C:\Users\Admin\AppData\Local\Temp\477D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3200

C:\Users\Admin\AppData\Local\Temp\522D.exe
C:\Users\Admin\AppData\Local\Temp\522D.exe
1⤵
- Executes dropped EXE
PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 340
  2⤵
  - Program crash
  PID:3668

C:\Users\Admin\AppData\Local\Temp\4DD7.exe
C:\Users\Admin\AppData\Local\Temp\4DD7.exe
1⤵
- Executes dropped EXE
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 344
  2⤵
  - Program crash
  PID:984

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\56F1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\56F1.dll
  2⤵
  - Loads dropped DLL
  PID:2672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3068 -ip 3068
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
1⤵
PID:4440

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\5B47.exe
C:\Users\Admin\AppData\Local\Temp\5B47.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\5B47.exe
  C:\Users\Admin\AppData\Local\Temp\5B47.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops Chrome extension
  PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://search-hoj.com/reginst/prg/3a483db7/102/0/"
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa064846f8,0x7ffa06484708,0x7ffa06484718
      4⤵
      PID:4172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:2168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      PID:900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:1784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:1184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 /prefetch:8
      4⤵
      PID:5168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
      4⤵
      PID:5320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
      4⤵
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a8b25460,0x7ff7a8b25470,0x7ff7a8b25480
        5⤵
        
        PID:5884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:8
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 /prefetch:2
      4⤵
      PID:5224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
      4⤵
      PID:1776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
      4⤵
      PID:5632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
      4⤵
      PID:1092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1328 /prefetch:8
      4⤵
      PID:5764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
      4⤵
      PID:1280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://search-hoj.com/reginst/prg/3a483db7/102/0/"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa065a4f50,0x7ffa065a4f60,0x7ffa065a4f70
      4⤵
      PID:2320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
      4⤵
      PID:2120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1968 /prefetch:8
      4⤵
      PID:4404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
      4⤵
      PID:916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
      4⤵
      PID:4452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
      4⤵
      PID:4208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
      4⤵
      PID:5588
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
      4⤵
      PID:5704
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 /prefetch:8
      4⤵
      PID:5384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:728
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
      4⤵
      PID:5724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 /prefetch:8
      4⤵
      PID:344
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
      4⤵
      PID:5840
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3388 /prefetch:2
      4⤵
      PID:5676
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
      4⤵
      PID:4300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
      4⤵
      PID:5344
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
      4⤵
      PID:4536
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
      4⤵
      PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2412 -ip 2412
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3172 -ip 3172
1⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 420
  2⤵
  - Program crash
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4828 -ip 4828
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 420
  2⤵
  - Program crash
  PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2188 -ip 2188
1⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 416
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5496 -ip 5496
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 428
  2⤵
  - Program crash
  PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2024 -ip 2024
1⤵
PID:4624

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4212
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:4352

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 420
  2⤵
  - Program crash
  PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1156 -ip 1156
1⤵
PID:5884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 420
  2⤵
  - Program crash
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4676 -ip 4676
1⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa065a4f50,0x7ffa065a4f60,0x7ffa065a4f70
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1936 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=916 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1600 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1492 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5184 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8532 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8684 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9328 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9680 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9556 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9988 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10448 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1620 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8328 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8148 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9808 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9972 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3864 /prefetch:8
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9452 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8824 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:6104
- C:\Users\Admin\Downloads\NAV-ESD-22.20.5.39-EN.exe
  "C:\Users\Admin\Downloads\NAV-ESD-22.20.5.39-EN.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:4500
- - C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1740
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe" /install
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe" /legacydelsysvolinfo
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1668
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe" /d
    3⤵
    - Executes dropped EXE
    PID:4300
- - C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe" "C:\Windows\System32\drivers\NGCx64\1614050.027" /install /installcertinfo
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5588
- - C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe" /Q /HRESULT /CheckForOlderVersion /log IS
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:960
- - C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3188
- - C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe" /uninstalltasksandlegacy
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2280
- - C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe
    "C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:660
- - C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe
    "C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5056
- - C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe" /install
    3⤵
    - Executes dropped EXE
    PID:5144
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe" /install
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe" /legacydelsysvolinfo
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe" /d
    3⤵
    - Executes dropped EXE
    PID:1784
- - C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe" "C:\Windows\System32\drivers\NGCx64\1614050.027" /install /installcertinfo
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe" /Q /HRESULT /CheckForOlderVersion /log IS
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5696
- - C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe" /install
    3⤵
    - Executes dropped EXE
    PID:4048
- - C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe" /uninstalltasksandlegacy
    3⤵
    - Executes dropped EXE
    PID:1732
- - C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe
    "C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe" /install
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe
    "C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe" /install
    3⤵
    - Executes dropped EXE
    PID:5508
- - C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\InstStub.exe
    "C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\InstStub.exe" /TRAYONLY
    3⤵
    - Executes dropped EXE
    PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:8
  2⤵
  PID:6120
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=lOLFXvEmZv5Y6bV7bPMuWFKTNu7RFNIYJHZNaJFX --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
  2⤵
  - Executes dropped EXE
  PID:5188
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x7ff771445960,0x7ff771445970,0x7ff771445980
    3⤵
    - Executes dropped EXE
    PID:4644
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5188_ZKHYKLOATJNLAMUI" --sandboxed-process-id=2 --init-done-notifier=784 --sandbox-mojo-pipe-token=257946272168227906 --mojo-platform-channel-handle=760 --engine=2
    3⤵
    - Executes dropped EXE
    PID:4300
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5188_ZKHYKLOATJNLAMUI" --sandboxed-process-id=3 --init-done-notifier=1016 --sandbox-mojo-pipe-token=17487811587754019994 --mojo-platform-channel-handle=1012
    3⤵
    - Executes dropped EXE
    PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10212 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10000 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10440 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=161 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8824 /prefetch:1
  2⤵
  PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 428
  2⤵
  - Program crash
  PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3016 -ip 3016
1⤵
PID:5964

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4104
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={8d5674ab-3bf3-4ab7-87ca-4c2a2c412b01} --system
  2⤵
  - Executes dropped EXE
  PID:3440

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 420
  2⤵
  - Program crash
  PID:6024

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2176

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
- Executes dropped EXE
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 344
  2⤵
  - Program crash
  PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4152 -ip 4152
1⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2364 -ip 2364
1⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 432
  2⤵
  - Program crash
  PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076
1⤵
PID:2164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x32c
1⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 420
  2⤵
  - Program crash
  PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3712 -ip 3712
1⤵
PID:5068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:5292

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 420
  2⤵
  - Program crash
  PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4816 -ip 4816
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 420
  2⤵
  - Program crash
  PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5952 -ip 5952
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 428
  2⤵
  - Program crash
  PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5364 -ip 5364
1⤵
PID:2276

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe" /win8
1⤵
- Executes dropped EXE
PID:924
- C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\13347E23\B772681D-E1E5-41A5-9DC9-E81057BEF4B5.dat"
  2⤵
  PID:2164

C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe" /s "NortonSecurity" /m "C:\Program Files\Norton Security\Engine\22.20.5.39\diMaster.dll" /prefetch:1
1⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4680
- C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\33230791\BB2429F8-83FA-4445-9CF5-6B5A3E69102A.dat"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5288
- C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe" /c /a /s UserSession2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4020
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\B8D6822C\CC32DFB2-AD7C-4FD0-AF95-F9C72FA3BF72.dat"
    3⤵
    PID:4816
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\993DA71E\B67D158E-4E9A-4621-B8B0-4E8391BE310F.dat"
    3⤵
    PID:960
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\718D2846\C5AFC715-B26D-4653-A2E1-E2EEE36979AF.dat"
    3⤵
    PID:2276
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\E589B070\76372009-1017-4195-8785-EA9A9B7EE3EF.dat"
    3⤵
    PID:3080
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\24E6AB0D\11392714-117C-4116-AEF8-B4C163A95D0C.dat"
    3⤵
    PID:984
- - C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
    "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\C395E710\6B012B29-D3EA-479D-8F3D-87A5E8219461.dat"
    3⤵
    PID:5692
- C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\A213B7A2\34FB5872-2F04-472D-9AAB-57A250F0630A.dat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4924
- C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\552D93DD\53FE1FD1-1178-415F-AB78-D75EFBC240EE.dat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4404

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 420
  2⤵
  - Program crash
  PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1704 -ip 1704
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 420
  2⤵
  - Program crash
  PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1156 -ip 1156
1⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 424
  2⤵
  - Program crash
  PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1316 -ip 1316
1⤵
PID:2872

C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe" /win8
1⤵
PID:2868
- C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
  "C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\13347E23\16E74271-B830-476D-AD5B-321ADA18D791.dat"
  2⤵
  PID:4028

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 308
  2⤵
  - Program crash
  PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
1⤵
PID:3936

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 420
  2⤵
  - Program crash
  PID:5436

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 308
  2⤵
  - Program crash
  PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 224 -ip 224
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1272 -ip 1272
1⤵
PID:2204

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:4996
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:2848

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 420
  2⤵
  - Program crash
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 508 -ip 508
1⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 428
  2⤵
  - Program crash
  PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3056 -ip 3056
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 420
  2⤵
  - Program crash
  PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 812 -ip 812
1⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 436
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1992 -ip 1992
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 420
  2⤵
  - Program crash
  PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5048 -ip 5048
1⤵
PID:5860

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:1816
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:4764

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 420
  2⤵
  - Program crash
  PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1572 -ip 1572
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 420
  2⤵
  - Program crash
  PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4976 -ip 4976
1⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 428
  2⤵
  - Program crash
  PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5176 -ip 5176
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 416
  2⤵
  - Program crash
  PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5992 -ip 5992
1⤵
PID:5212

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5040

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 420
  2⤵
  - Program crash
  PID:1120

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 308
  2⤵
  - Program crash
  PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3296 -ip 3296
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3580 -ip 3580
1⤵
PID:5356

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:6028
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:1272

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 420
  2⤵
  - Program crash
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5960 -ip 5960
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 428
  2⤵
  - Program crash
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3968 -ip 3968
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 420
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 812 -ip 812
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 420
  2⤵
  - Program crash
  PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3964 -ip 3964
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 420
  2⤵
  - Program crash
  PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2828 -ip 2828
1⤵
PID:2352

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5428
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:5156

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 420
  2⤵
  - Program crash
  PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5548 -ip 5548
1⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 428
  2⤵
  - Program crash
  PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2592 -ip 2592
1⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 424
  2⤵
  - Program crash
  PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5356 -ip 5356
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 420
  2⤵
  - Program crash
  PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2764 -ip 2764
1⤵
PID:684

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:5368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 316
  2⤵
  - Program crash
  PID:4468

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 428
  2⤵
  - Program crash
  PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5368 -ip 5368
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5244 -ip 5244
1⤵
PID:5296

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5172
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:5248

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 420
  2⤵
  - Program crash
  PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5516 -ip 5516
1⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 420
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1428 -ip 1428
1⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 428
  2⤵
  - Program crash
  PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3104 -ip 3104
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 420
  2⤵
  - Program crash
  PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3316 -ip 3316
1⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 420
  2⤵
  - Program crash
  PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5636 -ip 5636
1⤵
PID:5348

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5084
- C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
  C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
  2⤵
  PID:660

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 420
  2⤵
  - Program crash
  PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4788 -ip 4788
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 420
  2⤵
  - Program crash
  PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4508 -ip 4508
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery