amadey | ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e

System Information Discovery

Processes:

5B47.exe2AE8.exebuild2.exeNAV-ESD-22.20.5.39-EN.exe2C7F.exerovwer.exe2AE8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5B47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2AE8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NAV-ESD-22.20.5.39-EN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2C7F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2AE8.exe

Loads dropped DLL 64 IoCs

Processes:

regsvr32.exerundll32.exebuild2.exeNAV-ESD-22.20.5.39-EN.execoInst.exeEFAInst64.exeELAMInst.exeRuleUp.exesymerr.exetuIH.exeInstCA.exe

pid	process
2672	regsvr32.exe
2672	regsvr32.exe
5584	rundll32.exe
4732	build2.exe
4732	build2.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
1740	coInst.exe
1740	coInst.exe
1740	coInst.exe
1668	EFAInst64.exe
1668	EFAInst64.exe
1668	EFAInst64.exe
5588	ELAMInst.exe
5588	ELAMInst.exe
5588	ELAMInst.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
3188	RuleUp.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
2280	symerr.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
660	tuIH.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
5056	InstCA.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe
4500	NAV-ESD-22.20.5.39-EN.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4732 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4732	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

explorer.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

msedge.exeNAV-ESD-22.20.5.39-EN.exe2AE8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC = "\"C:\\PROGRA~2\\NORTON~1\\{0C55C~1\\NGC\\562C4DD5\\22205~1.39\\InstStub.exe\" /RELAUNCH /RUNONCE /PRODID NGC"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC\MEDIA = "C:\\Users\\Admin\\Downloads\\NAV-ESD-22.20.5.39-EN.exe"	NAV-ESD-22.20.5.39-EN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\NGC = "\"C:\\PROGRA~2\\NORTON~1\\{0C55C~1\\NGC\\562C4DD5\\22205~1.39\\InstStub.exe\" /RELAUNCH /RUNONCE /NOPROMPT /PRODID NGC"	NAV-ESD-22.20.5.39-EN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\NGC	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fa96cd4c-0338-45c0-b0c0-e4237608920c\\2AE8.exe\" --AutoStart"	2AE8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

5B47.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json	5B47.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NAV-ESD-22.20.5.39-EN.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security\desktop.ini	NAV-ESD-22.20.5.39-EN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

NAV-ESD-22.20.5.39-EN.exeNortonSecurity.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NortonSecurity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NortonSecurity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\NoExplorer = "1"	NAV-ESD-22.20.5.39-EN.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1068	api.2ip.ua
1151	api.2ip.ua
1165	api.2ip.ua
987	api.2ip.ua
1097	api.2ip.ua
1134	api.2ip.ua
1175	api.2ip.ua
1096	api.2ip.ua
31	api.2ip.ua
988	api.2ip.ua
1152	api.2ip.ua
1166	api.2ip.ua
1176	api.2ip.ua
27	api.2ip.ua

Drops file in System32 directory 13 IoCs

Processes:

NortonSecurity.exeSevntx64.exeSevntx64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_DFD3E0F75C6A3CFC3271FE2C5C19E838	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_5BFB72FAE1BB9D1928D1C5C92F52E8EA	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_5BFB72FAE1BB9D1928D1C5C92F52E8EA	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F234AF16A662E2448E049CAD14C6D675	NortonSecurity.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	NortonSecurity.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	Sevntx64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	Sevntx64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_DFD3E0F75C6A3CFC3271FE2C5C19E838	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F7788E201A03EF5036E7C8BF55432CB_BDA62707BA70CB0111D9E81215C5BF30	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F7788E201A03EF5036E7C8BF55432CB_BDA62707BA70CB0111D9E81215C5BF30	NortonSecurity.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F234AF16A662E2448E049CAD14C6D675	NortonSecurity.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

2AE8.exe5B47.exe2AE8.exebuild2.exe2AE8.exe2AE8.exe2AE8.exe2AE8.exe2AE8.exe2AE8.exe2AE8.exe

description	pid	process	target process
PID 4828 set thread context of 4264	4828	2AE8.exe	2AE8.exe
PID 228 set thread context of 4756	228	5B47.exe	5B47.exe
PID 4456 set thread context of 5668	4456	2AE8.exe	2AE8.exe
PID 4720 set thread context of 4732	4720	build2.exe	build2.exe
PID 4444 set thread context of 3620	4444	2AE8.exe	2AE8.exe
PID 4996 set thread context of 2848	4996	2AE8.exe	2AE8.exe
PID 1816 set thread context of 4764	1816	2AE8.exe	2AE8.exe
PID 6028 set thread context of 1272	6028	2AE8.exe	2AE8.exe
PID 5428 set thread context of 5156	5428	2AE8.exe	2AE8.exe
PID 5172 set thread context of 5248	5172	2AE8.exe	2AE8.exe
PID 5084 set thread context of 660	5084	2AE8.exe	2AE8.exe

Drops file in Program Files directory 64 IoCs

Processes:

NAV-ESD-22.20.5.39-EN.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-BEEF-4E6D-AEE1-2C53200DE57E}.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\sw.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\MSVCP140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\SymEFA.grd	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\19\01	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\am.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\cctFW.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\coFeatSv.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\en-GB.pak.info	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\tr.pak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\04\01\InsBrand.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\13\01\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\MUI\22.20.5.39\IMAGES\icon_metrotoaster_image_risk.png	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\IPSDefs\20200717.500\v.grd	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\Iron.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\coIDSafe.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Branding\22.20.5.39\15\01\muis.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\04\02	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\FFPrefs.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\virscan1.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\ccGLog.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\QStartUI.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhspauth.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\uiMetroN.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\MClnTask.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\SDKCmn.dll	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\SDKCmn.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\STICDefs\20190827.078\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\11\01\hlinks	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\ms.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{D418C996-433A-42df-8D3C-E1A24C0AD3C0}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\coNatHst.exe	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\srtspx64.cat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\07\01\InsBrand.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\pl.pak.info	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\catalog.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\disseq.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\IPSDefs\definfo.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\06\01\InsMUI.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\SEF.grd	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\14\01\InsMUI.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{64A1EE4A-948D-4bd0-A3E6-9D6BF96DF72A}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\WebProtectionDefs\20100430.009\virscan1.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\SPManifests\NAVPatch.sig	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\msvcp140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\virscan9.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{65190544-26C3-43a4-A78A-694964901607}.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{A6AC491F-0711-4D5A-8612-F085B49B1AE1}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-6BF6-4E6D-AEE1-2C53200DE57E}.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{D49714FD-DF22-4124-9FC2-D059ACABE7E1}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\vccorlib140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\nl.pak.info	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\sl.pak	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine32\22.20.5.39\locales\ta.pak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\hp_1.idx	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\Engine\22.20.5.39\concrt140.dll	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\WebProtectionDefs\definfo.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\Definitions\SDSDefs\20221128.016\virscan5.dat	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\Engine\22.20.5.39\itbLUReg\{591D2F72-6BF6-4E6D-AEE1-2C53200DE57E}.dat.bak	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\MUI\22.20.5.39\09\01\ncwRes.loc	NAV-ESD-22.20.5.39-EN.exe
File opened for modification	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\SymPlatformDefs\20200721.050\disconf.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhscda.dat	NAV-ESD-22.20.5.39-EN.exe
File created	C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20200717.004\bhsprule.dat	NAV-ESD-22.20.5.39-EN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 53 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
984	3068	WerFault.exe	4DD7.exe
3616	4896	WerFault.exe	2C7F.exe
2800	2412	WerFault.exe	2F11.exe
3668	3172	WerFault.exe	522D.exe
5052	4828	WerFault.exe	rovwer.exe
5976	2188	WerFault.exe	rovwer.exe
5096	5496	WerFault.exe	rovwer.exe
5664	2024	WerFault.exe	rovwer.exe
2012	1156	WerFault.exe	rovwer.exe
2312	4676	WerFault.exe	rovwer.exe
2804	3016	WerFault.exe	rovwer.exe
6024	4152	WerFault.exe	rovwer.exe
5404	2364	WerFault.exe	cigbrtj
4004	5076	WerFault.exe	rovwer.exe
220	3712	WerFault.exe	rovwer.exe
2672	4816	WerFault.exe	rovwer.exe
4164	5952	WerFault.exe	rovwer.exe
1112	5364	WerFault.exe	rovwer.exe
5264	1704	WerFault.exe	rovwer.exe
1008	1156	WerFault.exe	rovwer.exe
3260	1316	WerFault.exe	rovwer.exe
5752	4592	WerFault.exe	rovwer.exe
2372	224	WerFault.exe	cigbrtj
5436	1272	WerFault.exe	rovwer.exe
3488	508	WerFault.exe	rovwer.exe
4252	3056	WerFault.exe	rovwer.exe
3560	812	WerFault.exe	rovwer.exe
4536	1992	WerFault.exe	rovwer.exe
1160	5048	WerFault.exe	rovwer.exe
4768	1572	WerFault.exe	rovwer.exe
4768	4976	WerFault.exe	rovwer.exe
5604	5176	WerFault.exe	rovwer.exe
1948	5992	WerFault.exe	rovwer.exe
1120	3296	WerFault.exe	rovwer.exe
3916	3580	WerFault.exe	cigbrtj
1892	5960	WerFault.exe	rovwer.exe
3844	3968	WerFault.exe	rovwer.exe
3472	812	WerFault.exe	rovwer.exe
396	3964	WerFault.exe	rovwer.exe
1064	2828	WerFault.exe	rovwer.exe
1652	5548	WerFault.exe	rovwer.exe
5764	2592	WerFault.exe	rovwer.exe
5136	5356	WerFault.exe	rovwer.exe
4428	2764	WerFault.exe	rovwer.exe
4468	5368	WerFault.exe	cigbrtj
1448	5244	WerFault.exe	rovwer.exe
2264	5516	WerFault.exe	rovwer.exe
5096	1428	WerFault.exe	rovwer.exe
5700	3104	WerFault.exe	rovwer.exe
3532	3316	WerFault.exe	rovwer.exe
3716	5636	WerFault.exe	rovwer.exe
3652	4788	WerFault.exe	rovwer.exe
1060	4508	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exewtgbrtjwtgbrtjtaskmgr.exewtgbrtjwtgbrtjee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe34FD.exe477D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34FD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	477D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtgbrtj

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

taskmgr.exebuild2.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4352 schtasks.exe
1476 schtasks.exe
2372 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4688 timeout.exe

pid	process
4352	schtasks.exe
1476	schtasks.exe
2372	schtasks.exe

pid	process
4688	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

Processes:

NAV-ESD-22.20.5.39-EN.exeNortonSecurity.exeNortonSecurity.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\AppPath = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	NortonSecurity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{476D0EA3-80F9-48B5-B70B-05E677C9C148}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = "Norton Toolbar"	NortonSecurity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4433A54A-1AC8-432F-90FC-85F045CF383C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B59987EA-25FE-44B4-8802-E4DE67073D8C}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B59987EA-25FE-44B4-8802-E4DE67073D8C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Policy = "3"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\AppName = "symerr.exe"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}	NAV-ESD-22.20.5.39-EN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\Compatibility Flags = "1024"	NAV-ESD-22.20.5.39-EN.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SymErr.exeSymErr.exeSymErr.exeNortonSecurity.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	NortonSecurity.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SymErr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SymErr.exe

Modifies registry class 64 IoCs

Processes:

NAV-ESD-22.20.5.39-EN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.BuPropertySheet\CLSID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayPending	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\Programmable	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEE5EE11-10B4-4531-B306-1C3546BD5F42}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2EF276A-4D20-44E9-B9D2-29F129EB826B}\1.0\0\win64\ = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39\\buShell.dll"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\ = "BUContextMenu Class"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\InprocServer32\ = "C:\\Program Files\\Norton Security\\Engine32\\22.20.5.39\\buShell.dll"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C884BB9C-39DE-43A1-8480-B7E2FC5C77C6}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8933BDBF-DADC-44c3-BA6D-F944EBF16362}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayExcluded\CurVer\ = "BackupShell.OverlayExcluded.1"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayProtected	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ = "IOverlayPending"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}\ = "ICatalogSetFolderEnumIDListImpl"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F6A750A-637E-43FE-8E8C-CD8CC52AFCF0}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}\ = "IOutlookPlug"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{96237786-C89D-4504-837A-A3BA2C29524D}\InProcServer32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B59987EA-25FE-44B4-8802-E4DE67073D8C}\ProgID\ = "BackupShell.BuPropertySheet"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43DCE0DD-22BA-4CE1-A467-94CDD1FBE80C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E3A5D7-80C7-4228-90FE-61DF01C417A5}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2EF276A-4D20-44E9-B9D2-29F129EB826B}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayExcluded.1	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.OverlayPending\CLSID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7102C629-439D-4CE9-A2FA-911713E8E8C2}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C884BB9C-39DE-43A1-8480-B7E2FC5C77C6}\TypeLib\ = "{C2EF276A-4D20-44E9-B9D2-29F129EB826B}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\InprocServer32	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SymDgnHc.exe	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NortonLifeLock.Norton.Antivirus.IEContextMenu	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\NortonSecurity.exe	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\Programmable	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F6A750A-637E-43FE-8E8C-CD8CC52AFCF0}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9CC9305-0A30-4015-92A0-0711EE24E720}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13C7C55-93E5-48ca-A5E5-E6564089CAB0}\VersionIndependentProgID\ = "SymDgnHC.SymDiagHelper"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MsouPlug.OutlookPlug.1	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96237786-C89D-4504-837A-A3BA2C29524D}\ = "SymAmsiProvider"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA091DCE-F3CA-4ECC-A18D-B1F1871A4690}\ProxyStubClsid32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}\InfoTip = "@C:\\Program Files\\Norton Security\\Branding\\muis.dll,-116"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\VersionIndependentProgID	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}\TypeLib	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B69B6ACA-155C-41D0-BC90-4857239731A4}\ = "INortonDriveContextMenuImpl"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ = "Norton Password Manager"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09D32393-10DA-4eca-91AA-AD11C69DB966}\InprocServer32\ = "C:\\Program Files\\Norton Security\\Engine\\22.20.5.39\\McStatus.dll"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD5F89EE-9C85-4D42-B366-919387500641}\1.0\0\win32	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A5C2370-FF1E-4C2B-9796-E2FA2FF1D605}	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\BuPropertySheet	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\VersionIndependentProgID\ = "BackupShell.OverlayProtected"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\InprocServer32	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\TypeLib\ = "{C2EF276A-4D20-44E9-B9D2-29F129EB826B}"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MsouPlug.OutlookPlug\CurVer\ = "MsouPlug.OutlookPlug.1"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09D32393-10DA-4eca-91AA-AD11C69DB966}\InprocServer32\ThreadingModel = "Apartment"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEE5EE11-10B4-4531-B306-1C3546BD5F42}	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F13C7C55-93E5-48ca-A5E5-E6564089CAB0}\LocalServer32\ThreadingModel = "Free"	NAV-ESD-22.20.5.39-EN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BackupShell.BuPropertySheet\ = "BuPropertySheet Class"	NAV-ESD-22.20.5.39-EN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E224C5C-DFDC-4906-9041-AE43C6405AA1}	NAV-ESD-22.20.5.39-EN.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

NAV-ESD-22.20.5.39-EN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	NAV-ESD-22.20.5.39-EN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe

pid	process
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exe

pid process

980
5292 taskmgr.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

644
644
644

pid	process
980
5292	taskmgr.exe

pid	process
644
644
644

Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe34FD.exe477D.exewtgbrtjwtgbrtjwtgbrtjwtgbrtj

pid	process
2012	ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
980
980
980
980
1940	34FD.exe
3200	477D.exe
2176	wtgbrtj
2764	wtgbrtj
5040	wtgbrtj
1752	wtgbrtj

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exemsedge.exechrome.exe

pid	process
2408	chrome.exe
2408	chrome.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
2408	chrome.exe
4304	msedge.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980
Token: SeShutdownPrivilege	980
Token: SeCreatePagefilePrivilege	980

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exetaskmgr.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
4304	msedge.exe
2408	chrome.exe
980
980
4304	msedge.exe
980
4304	msedge.exe
980
980
980
980
2408	chrome.exe
4304	msedge.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
980
980
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980
980

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

NAV-ESD-22.20.5.39-EN.exeNortonSecurity.exe

pid process

980
4500 NAV-ESD-22.20.5.39-EN.exe
4020 NortonSecurity.exe

pid	process
980
4500	NAV-ESD-22.20.5.39-EN.exe
4020	NortonSecurity.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe2C7F.exe2AE8.exerovwer.exe2AE8.exe5B47.exe

description	pid	process	target process
PID 980 wrote to memory of 4828	980		2AE8.exe
PID 980 wrote to memory of 4828	980		2AE8.exe
PID 980 wrote to memory of 4828	980		2AE8.exe
PID 980 wrote to memory of 4896	980		2C7F.exe
PID 980 wrote to memory of 4896	980		2C7F.exe
PID 980 wrote to memory of 4896	980		2C7F.exe
PID 980 wrote to memory of 2412	980		2F11.exe
PID 980 wrote to memory of 2412	980		2F11.exe
PID 980 wrote to memory of 2412	980		2F11.exe
PID 980 wrote to memory of 1940	980		34FD.exe
PID 980 wrote to memory of 1940	980		34FD.exe
PID 980 wrote to memory of 1940	980		34FD.exe
PID 980 wrote to memory of 3200	980		477D.exe
PID 980 wrote to memory of 3200	980		477D.exe
PID 980 wrote to memory of 3200	980		477D.exe
PID 980 wrote to memory of 3068	980		4DD7.exe
PID 980 wrote to memory of 3068	980		4DD7.exe
PID 980 wrote to memory of 3068	980		4DD7.exe
PID 980 wrote to memory of 3172	980		522D.exe
PID 980 wrote to memory of 3172	980		522D.exe
PID 980 wrote to memory of 3172	980		522D.exe
PID 980 wrote to memory of 4104	980		regsvr32.exe
PID 980 wrote to memory of 4104	980		regsvr32.exe
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	regsvr32.exe
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	regsvr32.exe
PID 4104 wrote to memory of 2672	4104	regsvr32.exe	regsvr32.exe
PID 980 wrote to memory of 228	980		5B47.exe
PID 980 wrote to memory of 228	980		5B47.exe
PID 980 wrote to memory of 228	980		5B47.exe
PID 980 wrote to memory of 3996	980		explorer.exe
PID 980 wrote to memory of 3996	980		explorer.exe
PID 980 wrote to memory of 3996	980		explorer.exe
PID 980 wrote to memory of 3996	980		explorer.exe
PID 4896 wrote to memory of 4100	4896	2C7F.exe	rovwer.exe
PID 4896 wrote to memory of 4100	4896	2C7F.exe	rovwer.exe
PID 4896 wrote to memory of 4100	4896	2C7F.exe	rovwer.exe
PID 980 wrote to memory of 380	980		explorer.exe
PID 980 wrote to memory of 380	980		explorer.exe
PID 980 wrote to memory of 380	980		explorer.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4828 wrote to memory of 4264	4828	2AE8.exe	2AE8.exe
PID 4100 wrote to memory of 1476	4100	rovwer.exe	schtasks.exe
PID 4100 wrote to memory of 1476	4100	rovwer.exe	schtasks.exe
PID 4100 wrote to memory of 1476	4100	rovwer.exe	schtasks.exe
PID 4264 wrote to memory of 4732	4264	2AE8.exe	icacls.exe
PID 4264 wrote to memory of 4732	4264	2AE8.exe	icacls.exe
PID 4264 wrote to memory of 4732	4264	2AE8.exe	icacls.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe
PID 228 wrote to memory of 4756	228	5B47.exe	5B47.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe
"C:\Users\Admin\AppData\Local\Temp\ee1d1018f825ffa2d507f0d58a3a2c9d14a2b4a9c351e7d3fa05d29063488b9e.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2012

C:\Users\Admin\AppData\Local\Temp\2AE8.exe
C:\Users\Admin\AppData\Local\Temp\2AE8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\2AE8.exe
C:\Users\Admin\AppData\Local\Temp\2AE8.exe
2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4732

C:\Users\Admin\AppData\Local\Temp\2AE8.exe
"C:\Users\Admin\AppData\Local\Temp\2AE8.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4456

C:\Users\Admin\AppData\Local\Temp\2AE8.exe
"C:\Users\Admin\AppData\Local\Temp\2AE8.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
PID:5668

C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe
"C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4720

C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe
"C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:4732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build2.exe" & exit
7⤵
PID:4808

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4688

C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build3.exe
"C:\Users\Admin\AppData\Local\6fba7451-a95d-43a8-9c28-96aa56ae201c\build3.exe"
5⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:2372

C:\Users\Admin\AppData\Local\Temp\2C7F.exe
C:\Users\Admin\AppData\Local\Temp\2C7F.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:1476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1140
2⤵
- Program crash
PID:3616

C:\Users\Admin\AppData\Local\Temp\2F11.exe
C:\Users\Admin\AppData\Local\Temp\2F11.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 444
2⤵
- Program crash
PID:2800

C:\Users\Admin\AppData\Local\Temp\34FD.exe
C:\Users\Admin\AppData\Local\Temp\34FD.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1940

C:\Users\Admin\AppData\Local\Temp\477D.exe
C:\Users\Admin\AppData\Local\Temp\477D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3200

C:\Users\Admin\AppData\Local\Temp\522D.exe
C:\Users\Admin\AppData\Local\Temp\522D.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 340
2⤵
- Program crash
PID:3668

C:\Users\Admin\AppData\Local\Temp\4DD7.exe
C:\Users\Admin\AppData\Local\Temp\4DD7.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 344
2⤵
- Program crash
PID:984

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\56F1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\56F1.dll
2⤵
- Loads dropped DLL
PID:2672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3068 -ip 3068
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
1⤵
PID:4440

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\5B47.exe
C:\Users\Admin\AppData\Local\Temp\5B47.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\5B47.exe
C:\Users\Admin\AppData\Local\Temp\5B47.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://search-hoj.com/reginst/prg/3a483db7/102/0/"
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa064846f8,0x7ffa06484708,0x7ffa06484718
4⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
4⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
4⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
4⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
4⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
4⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 /prefetch:8
4⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
4⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
4⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
4⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
4⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
4⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a8b25460,0x7ff7a8b25470,0x7ff7a8b25480
5⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
4⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:8
4⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 /prefetch:2
4⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
4⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
4⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
4⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
4⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1328 /prefetch:8
4⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,1778785697361946362,16620734516500389394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
4⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://search-hoj.com/reginst/prg/3a483db7/102/0/"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa065a4f50,0x7ffa065a4f60,0x7ffa065a4f70
4⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
4⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1968 /prefetch:8
4⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
4⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
4⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
4⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
4⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
4⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 /prefetch:8
4⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:8
4⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
4⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 /prefetch:8
4⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
4⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3388 /prefetch:2
4⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
4⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
4⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
4⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,6516894817733926297,5549545372535340659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
4⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2412 -ip 2412
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3172 -ip 3172
1⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 420
2⤵
- Program crash
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4828 -ip 4828
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 420
2⤵
- Program crash
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2188 -ip 2188
1⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 416
2⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5496 -ip 5496
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 428
2⤵
- Program crash
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2024 -ip 2024
1⤵
PID:4624

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- DcRat
- Creates scheduled task(s)
PID:4352

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 420
2⤵
- Program crash
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1156 -ip 1156
1⤵
PID:5884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 420
2⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4676 -ip 4676
1⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa065a4f50,0x7ffa065a4f60,0x7ffa065a4f70
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1936 /prefetch:8
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
2⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=916 /prefetch:1
2⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1600 /prefetch:1
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
2⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1492 /prefetch:1
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
2⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
2⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5184 /prefetch:2
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
2⤵
PID:5756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
2⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
2⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8532 /prefetch:1
2⤵
PID:6032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
2⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8684 /prefetch:1
2⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
2⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
2⤵
PID:5244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9328 /prefetch:1
2⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9680 /prefetch:1
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9556 /prefetch:1
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
2⤵
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9988 /prefetch:1
2⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10448 /prefetch:1
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1620 /prefetch:1
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8328 /prefetch:1
2⤵
PID:5228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
2⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8148 /prefetch:1
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
2⤵
PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
2⤵
PID:5908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9808 /prefetch:1
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9972 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3864 /prefetch:8
2⤵
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9452 /prefetch:8
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8824 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6560 /prefetch:8
2⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6632 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8
2⤵
PID:6104

C:\Users\Admin\Downloads\NAV-ESD-22.20.5.39-EN.exe
"C:\Users\Admin\Downloads\NAV-ESD-22.20.5.39-EN.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe" /install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740

C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe" /install
3⤵
- Executes dropped EXE
PID:2256

C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe" /legacydelsysvolinfo
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668

C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe" /d
3⤵
- Executes dropped EXE
PID:4300

C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe" "C:\Windows\System32\drivers\NGCx64\1614050.027" /install /installcertinfo
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5588

C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe" /Q /HRESULT /CheckForOlderVersion /log IS
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:960

C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe" /install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3188

C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe" /uninstalltasksandlegacy
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280

C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe
"C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe" /install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660

C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe
"C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe" /install
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5056

C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\coInst.exe" /install
3⤵
- Executes dropped EXE
PID:5144

C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SRTSP_CA.exe" /install
3⤵
- Executes dropped EXE
PID:3064

C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\EFAInst64.exe" /legacydelsysvolinfo
3⤵
- Executes dropped EXE
PID:2008

C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymVTCatalogDB.exe" /d
3⤵
- Executes dropped EXE
PID:1784

C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\ELAMInst.exe" "C:\Windows\System32\drivers\NGCx64\1614050.027" /install /installcertinfo
3⤵
- Executes dropped EXE
PID:4536

C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\Sevntx64.exe" /Q /HRESULT /CheckForOlderVersion /log IS
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5696

C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\RuleUp.exe" /install
3⤵
- Executes dropped EXE
PID:4048

C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\symerr.exe" /uninstalltasksandlegacy
3⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe
"C:\Program Files\Norton Security\Engine32\22.20.5.39\tuIH.exe" /install
3⤵
- Executes dropped EXE
PID:1684

C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe
"C:\Program Files\Norton Security\Engine32\22.20.5.39\InstCA.exe" /install
3⤵
- Executes dropped EXE
PID:5508

C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\InstStub.exe
"C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC\562C4DD5\22.20.5.39\InstStub.exe" /TRAYONLY
3⤵
- Executes dropped EXE
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1720 /prefetch:8
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:8
2⤵
PID:6120

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=lOLFXvEmZv5Y6bV7bPMuWFKTNu7RFNIYJHZNaJFX --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
PID:5188

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x7ff771445960,0x7ff771445970,0x7ff771445980
3⤵
- Executes dropped EXE
PID:4644

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5188_ZKHYKLOATJNLAMUI" --sandboxed-process-id=2 --init-done-notifier=784 --sandbox-mojo-pipe-token=257946272168227906 --mojo-platform-channel-handle=760 --engine=2
3⤵
- Executes dropped EXE
PID:4300

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5188_ZKHYKLOATJNLAMUI" --sandboxed-process-id=3 --init-done-notifier=1016 --sandbox-mojo-pipe-token=17487811587754019994 --mojo-platform-channel-handle=1012
3⤵
- Executes dropped EXE
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10212 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10000 /prefetch:1
2⤵
PID:912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10440 /prefetch:1
2⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,17743526748248276555,3805670542023917204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=161 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8824 /prefetch:1
2⤵
PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 428
2⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3016 -ip 3016
1⤵
PID:5964

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4104

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4104_553626233\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={8d5674ab-3bf3-4ab7-87ca-4c2a2c412b01} --system
2⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 420
2⤵
- Program crash
PID:6024

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2176

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 344
2⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4152 -ip 4152
1⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2364 -ip 2364
1⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 432
2⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076
1⤵
PID:2164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x32c
1⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 420
2⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3712 -ip 3712
1⤵
PID:5068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:5292

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 420
2⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4816 -ip 4816
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 420
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5952 -ip 5952
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 428
2⤵
- Program crash
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5364 -ip 5364
1⤵
PID:2276

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
- Executes dropped EXE
PID:3620

C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe" /win8
1⤵
- Executes dropped EXE
PID:924

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\13347E23\B772681D-E1E5-41A5-9DC9-E81057BEF4B5.dat"
2⤵
PID:2164

C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe" /s "NortonSecurity" /m "C:\Program Files\Norton Security\Engine\22.20.5.39\diMaster.dll" /prefetch:1
1⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4680

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\33230791\BB2429F8-83FA-4445-9CF5-6B5A3E69102A.dat"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5288

C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\NortonSecurity.exe" /c /a /s UserSession2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\B8D6822C\CC32DFB2-AD7C-4FD0-AF95-F9C72FA3BF72.dat"
3⤵
PID:4816

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\993DA71E\B67D158E-4E9A-4621-B8B0-4E8391BE310F.dat"
3⤵
PID:960

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\718D2846\C5AFC715-B26D-4653-A2E1-E2EEE36979AF.dat"
3⤵
PID:2276

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\E589B070\76372009-1017-4195-8785-EA9A9B7EE3EF.dat"
3⤵
PID:3080

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\24E6AB0D\11392714-117C-4116-AEF8-B4C163A95D0C.dat"
3⤵
PID:984

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\C395E710\6B012B29-D3EA-479D-8F3D-87A5E8219461.dat"
3⤵
PID:5692

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\A213B7A2\34FB5872-2F04-472D-9AAB-57A250F0630A.dat"
2⤵
- Modifies data under HKEY_USERS
PID:4924

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\552D93DD\53FE1FD1-1178-415F-AB78-D75EFBC240EE.dat"
2⤵
- Modifies data under HKEY_USERS
PID:4404

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 420
2⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1704 -ip 1704
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 420
2⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1156 -ip 1156
1⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 424
2⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1316 -ip 1316
1⤵
PID:2872

C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\uiStub.exe" /win8
1⤵
PID:2868

C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe
"C:\Program Files\Norton Security\Engine\22.20.5.39\SymErr.exe" /file "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.20.5.39\CmnClnt\ErrorInstances\13347E23\16E74271-B830-476D-AD5B-321ADA18D791.dat"
2⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 308
2⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
1⤵
PID:3936

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 420
2⤵
- Program crash
PID:5436

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 308
2⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 224 -ip 224
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1272 -ip 1272
1⤵
PID:2204

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:4996

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 420
2⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 508 -ip 508
1⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 428
2⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3056 -ip 3056
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 420
2⤵
- Program crash
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 812 -ip 812
1⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 436
2⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1992 -ip 1992
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 420
2⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5048 -ip 5048
1⤵
PID:5860

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:1816

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 420
2⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1572 -ip 1572
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 420
2⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4976 -ip 4976
1⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 428
2⤵
- Program crash
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5176 -ip 5176
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 416
2⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5992 -ip 5992
1⤵
PID:5212

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5040

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 420
2⤵
- Program crash
PID:1120

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 308
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3296 -ip 3296
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3580 -ip 3580
1⤵
PID:5356

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:6028

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 420
2⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5960 -ip 5960
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 428
2⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3968 -ip 3968
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 420
2⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 812 -ip 812
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 420
2⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3964 -ip 3964
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 420
2⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2828 -ip 2828
1⤵
PID:2352

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5428

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 420
2⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5548 -ip 5548
1⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 428
2⤵
- Program crash
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2592 -ip 2592
1⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 424
2⤵
- Program crash
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5356 -ip 5356
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 420
2⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2764 -ip 2764
1⤵
PID:684

C:\Users\Admin\AppData\Roaming\wtgbrtj
C:\Users\Admin\AppData\Roaming\wtgbrtj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Users\Admin\AppData\Roaming\cigbrtj
C:\Users\Admin\AppData\Roaming\cigbrtj
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 316
2⤵
- Program crash
PID:4468

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 428
2⤵
- Program crash
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5368 -ip 5368
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5244 -ip 5244
1⤵
PID:5296

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5172

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 420
2⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5516 -ip 5516
1⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 420
2⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1428 -ip 1428
1⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 428
2⤵
- Program crash
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3104 -ip 3104
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 420
2⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3316 -ip 3316
1⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 420
2⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5636 -ip 5636
1⤵
PID:5348

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5084

C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe
C:\Users\Admin\AppData\Local\fa96cd4c-0338-45c0-b0c0-e4237608920c\2AE8.exe --Task
2⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 420
2⤵
- Program crash
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4788 -ip 4788
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 420
2⤵
- Program crash
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4508 -ip 4508
1⤵
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery