cobaltstrike | 93580834e65af2f5a83aacef47a1ec3ef45fc6ab9683ec4df771bbea713ab38f

Modify Registry

Processes:

INSTALLER.exeINSTALLER.exeexplorer.exeMSAGENT.EXEtv_enua.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2416 netsh.exe

pid	process
2416	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
7520
5328
1728
7812
7500
5052
7592	takeown.exe
5588
1332
4448
184
8376	takeown.exe
6492
4464
8092
2872
7040
1712	icacls.exe
5208
5308	takeown.exe
2792
5080
5376
7500
6496
3108
9100	takeown.exe
4312
404
6864
8352
8336
8848
6756
4700
436
4232
7580
8220
4288
4892
5224
8696
8980
4180
1728
4996
8188
8880	takeown.exe
4064
2132
2264
7708
5496
5988
2000
4204
4904
8244
2680
8520
8044
7220
2256

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rsEngineSvc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rsEngineSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

rsAppUI.exersAppUI.exersAppUI.execmd.exersAppUI.exeRobloxPlayerLauncher.exersVPNSvc.exeFREDDO.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.tmpprod0.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exeRobloxPlayerLauncher.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	FREDDO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Executes dropped EXE 64 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.tmpprod0.exesaBSI.exeOperaSetup.exeOperaSetup.exeOperaSetup.exebddl5arx.exeOperaSetup.exeOperaSetup.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeqbittorrent.exeinstaller.exeinstaller.exeServiceHost.exeUIHost.exeServiceHost.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeServiceHost.exeUIHost.exeServiceHost.exersWSC.exersWSC.exersClientSvc.exersClientSvc.exersEngineSvc.exersEngineSvc.exepqzpkfpg.exeRAVVPN-installer.exersHelper.exersVPNClientSvc.exersVPNClientSvc.exersVPNSvc.exersVPNSvc.exeVPN.exersAppUI.exeServiceHost.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exeEPP.exersAppUI.exeynchbncp.exersAppUI.exersAppUI.exersAppUI.exeSaferWeb-installer.exersAppUI.exersDNSClientSvc.exersDNSClientSvc.exersDNSResolver.exersDNSResolver.exersDNSResolver.exersDNSSvc.exersDNSSvc.exersLitmus.A.exeDNS.exe

pid	process
1256	RobloxPlayerLauncher.exe
924	RobloxPlayerLauncher.exe
3780	Barbie and her Sisters Puppy Rescue_Eo-DwL1.exe
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4512	prod0.exe
4376	saBSI.exe
3904	OperaSetup.exe
4388	OperaSetup.exe
4916	OperaSetup.exe
4552	bddl5arx.exe
388	OperaSetup.exe
4340	OperaSetup.exe
5012	RAVEndPointProtection-installer.exe
5224	rsSyncSvc.exe
5276	rsSyncSvc.exe
5340	qbittorrent.exe
5272	installer.exe
6116	installer.exe
5824	ServiceHost.exe
5716	UIHost.exe
6820	ServiceHost.exe
3524	Assistant_108.0.5067.20_Setup.exe_sfx.exe
5512	assistant_installer.exe
6344	assistant_installer.exe
6848	ServiceHost.exe
4828	UIHost.exe
544	ServiceHost.exe
5920	rsWSC.exe
5248	rsWSC.exe
5924	rsClientSvc.exe
3968	rsClientSvc.exe
4376	rsEngineSvc.exe
6292	rsEngineSvc.exe
3928	pqzpkfpg.exe
6252	RAVVPN-installer.exe
6932	rsHelper.exe
5900	rsVPNClientSvc.exe
5748	rsVPNClientSvc.exe
6872	rsVPNSvc.exe
6964	rsVPNSvc.exe
2068	VPN.exe
1468	rsAppUI.exe
5380	ServiceHost.exe
7120	rsAppUI.exe
6844	rsAppUI.exe
6404	rsAppUI.exe
6432	rsAppUI.exe
6500	EPP.exe
6976	rsAppUI.exe
6080	ynchbncp.exe
4688	rsAppUI.exe
6176	rsAppUI.exe
7004	rsAppUI.exe
4540	SaferWeb-installer.exe
4472	rsAppUI.exe
7420	rsDNSClientSvc.exe
7776	rsDNSClientSvc.exe
7940	rsDNSResolver.exe
7908	rsDNSResolver.exe
7176	rsDNSResolver.exe
7832	rsDNSSvc.exe
8764	rsDNSSvc.exe
7660	rsLitmus.A.exe
8492	DNS.exe

Loads dropped DLL 64 IoCs

Processes:

Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmpOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exebddl5arx.exeOperaSetup.exeregsvr32.exeregsvr32.exeServiceHost.exeregsvr32.exeregsvr32.exeRAVEndPointProtection-installer.exeUIHost.exeServiceHost.exeassistant_installer.exeassistant_installer.exeServiceHost.exeUIHost.exeServiceHost.exersEngineSvc.exepqzpkfpg.exeRAVVPN-installer.exersVPNSvc.exersAppUI.exeServiceHost.exersAppUI.exersAppUI.exe

pid	process
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
3904	OperaSetup.exe
4388	OperaSetup.exe
4916	OperaSetup.exe
388	OperaSetup.exe
4552	bddl5arx.exe
4340	OperaSetup.exe
6136	regsvr32.exe
6044	regsvr32.exe
5824	ServiceHost.exe
4820	regsvr32.exe
5232	regsvr32.exe
5824	ServiceHost.exe
5824	ServiceHost.exe
5824	ServiceHost.exe
5824	ServiceHost.exe
5824	ServiceHost.exe
5012	RAVEndPointProtection-installer.exe
5716	UIHost.exe
5716	UIHost.exe
5824	ServiceHost.exe
6820	ServiceHost.exe
6820	ServiceHost.exe
6820	ServiceHost.exe
6820	ServiceHost.exe
6820	ServiceHost.exe
6820	ServiceHost.exe
5512	assistant_installer.exe
5512	assistant_installer.exe
6344	assistant_installer.exe
6344	assistant_installer.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
6848	ServiceHost.exe
4828	UIHost.exe
5012	RAVEndPointProtection-installer.exe
4828	UIHost.exe
544	ServiceHost.exe
544	ServiceHost.exe
544	ServiceHost.exe
544	ServiceHost.exe
544	ServiceHost.exe
6292	rsEngineSvc.exe
3928	pqzpkfpg.exe
6252	RAVVPN-installer.exe
6292	rsEngineSvc.exe
6292	rsEngineSvc.exe
6964	rsVPNSvc.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
5380	ServiceHost.exe
5380	ServiceHost.exe
5380	ServiceHost.exe
5380	ServiceHost.exe
5380	ServiceHost.exe
7120	rsAppUI.exe
6844	rsAppUI.exe
7120	rsAppUI.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
7464
1224
3020
7740	icacls.exe
3620
4772
7152
7412
9116
7460
8680	icacls.exe
8928
528
688
720
4524
1792
5052
5700
4140
5184
8592	takeown.exe
7376
8756
4312
892
5028
6652
5968
9016	takeown.exe
2440
3560
5700
2148
1408
4924	takeown.exe
720
6544
7604
6268	icacls.exe
4004
1888
7460
4224
7524
6916
5792	icacls.exe
4016
2300
8756
7940
8556
7416
4008
3776
4020
3884
8980
3976
5700
3864
9164
8560
5388	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

rundll32.exerundll32.exetv_enua.exeINSTALLER.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\AVAST Software\Avast	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\AVG\AV\Dir	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

qbittorrent.exersEngineSvc.exeexplorer.exeOperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\F:	qbittorrent.exe
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
1590	raw.githubusercontent.com
998	raw.githubusercontent.com
999	raw.githubusercontent.com
1388	raw.githubusercontent.com
1389	raw.githubusercontent.com
1398	raw.githubusercontent.com
1517	raw.githubusercontent.com
1400	raw.githubusercontent.com
1425	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Drops file in System32 directory 64 IoCs

Processes:

rsEngineSvc.exetv_enua.exersSyncSvc.exersVPNSvc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\229169D96B9C20761B929D428962A0A2_E724097EF7BBA8B1CB3228AA4D2ED312	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_66F532634EB780F86B16CC279B9366A2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	rsSyncSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	rsSyncSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D5824721AFCD338CB437BB54334D6F98	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_E724097EF7BBA8B1CB3228AA4D2ED312	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	rsSyncSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	rsSyncSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	rsSyncSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEngineSvc.exe
File created	C:\Windows\SysWOW64\SETDC22.tmp	tv_enua.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsScanner_v3.9.1.exe.log
File opened for modification	C:\Windows\SysWOW64\SETDC22.tmp	tv_enua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	rsSyncSvc.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeinstaller.exeRAVEndPointProtection-installer.exeSaferWeb-installer.exeBonziBuddy432.exeRAVVPN-installer.exe

description	ioc	process
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\aj_toasts\wa-aj-toast-toggle.js	installer.exe
File created	C:\Program Files\McAfee\Temp3608612160\main_close_large.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-da-DK.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3608612160\jslang\wa-res-install-fr-CA.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Runtime.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-ru-RU.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb008.gif	BonziBuddy432.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\securesearchhit.luc	installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsEngine.JSON.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualShortcutsMaker.vbs	BonziBuddy432.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\wataskmanager.dll	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsEngine.Core.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.Compression.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-sk-SK.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\WireGuard\x86\wireguard.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg	BonziBuddy432.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-el-GR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\usage_calculation.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticstelemetryhandler.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\fr\Microsoft.Win32.TaskScheduler.resources.dll	RAVVPN-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\eventsupplied.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Runtime.Serialization.Json.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\warning-icon-toast.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\enable_sideloaded_ext_guide.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-nl-NL.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\elam\rselam.cat	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	RAVVPN-installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ODKOB32.DLL	BonziBuddy432.exe
File created	C:\Program Files\McAfee\Temp3608612160\jslang\eula-el-GR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\Temp3608612160\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsEngine.Loggers.Application.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb007.gif	BonziBuddy432.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-da-DK.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsDwf.inf	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsEngine.config	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-en-US.js	installer.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files\McAfee\Temp3608612160\jslang\wa-res-shared-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\installedextensions.luc	installer.exe

Drops file in Windows directory 64 IoCs

Processes:

Bonzify (2).exeINSTALLER.exeINSTALLER.exeMSAGENT.EXEtv_enua.exe

description	ioc	process
File created	C:\Windows\executables.bin	Bonzify (2).exe
File opened for modification	C:\Windows\msagent\SET23E5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SETACD8.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File created	C:\Windows\msagent\SET23E4.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET240D.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET25F5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETACC2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\SETDC00.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET23F7.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SET23FC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SET240C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\lhsp\help\SET2607.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET2609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SETDBFF.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET23E3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET23F7.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET23FA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File created	C:\Windows\fonts\SET2608.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETACC1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET2609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File created	C:\Windows\help\SET23FC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETACD6.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SETACD6.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET240D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SET2607.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SETAD2A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET25F5.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD2A.tmp	MSAGENT.EXE
File created	C:\Windows\help\SETACE9.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET23E2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File created	C:\Windows\msagent\SETACD5.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET23E3.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETACC0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SETACC1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SETACD3.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\help\SETDC00.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET23F8.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETACEA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET25F6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETACD4.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SETACD7.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETACC0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SETACD7.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

pid pid_target process target process

7016 6396
4508 4404
3708 5644

pid	pid_target	process	target process
7016	6396
4508	4404
3708	5644

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

runonce.exerunonce.exeAcroRd32.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.tmp

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4940 taskkill.exe

pid	process
4940	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

RobloxPlayerLauncher.exeAcroRd32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ServiceHost.exeServiceHost.exeServiceHost.exersWSC.exeServiceHost.exeServiceHost.exersEngineSvc.exersSyncSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rsSyncSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe

Modifies registry class 64 IoCs

Processes:

BonziBuddy432.exeAgentSvr.exeregsvr32.exeBonziBDY_4.EXERobloxPlayerLauncher.exeregsvr32.exeregsvr32.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368C5B10-6A0F-11CE-9425-0000C0C14E92}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\0	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComMorph.1\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1BE804-567F-11D1-B652-0060976C699F}\ProgID\ = "RegistryControl.RegiCon"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD9-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ = "IAgentExt"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A031FBF6-81A7-4440-9E20-51ABB2289E4B}\VERSION\ = "1.4"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\BonziBuddy432\\ssa3d30.ocx, 109"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCheck.3\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{972DE6C3-8B09-11D2-B652-A1FD6CC34260}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\ = "ISkinPanel"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D4C-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7AE601-0142-11D3-9DCF-89BE4EFB591E}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{322982E0-0855-11D3-9DCF-DDFB3AB09E18}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer\ = "MSComctlLib.ImageComboCtl.2"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{920FF31F-CA25-451A-9738-3444FC206BCC}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FE1-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4F2C1F0-6FA6-11CE-942A-0000C0C14E92}\ = "ISSYearX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinPanel.1\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Control	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FE0-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368C5B10-6A0F-11CE-9425-0000C0C14E92}\Version	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D42-2CDD-11D3-9DD0-D3CD4078982A}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCE47F78-8A6C-4C6D-A6F7-8BE4427127C4}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinPanel\ = "ActiveSkin.SkinPanel Class"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{157083E1-2368-11CF-87B9-00AA006C8166}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\ = "DSSOption"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74179610-5A56-11CE-940F-0000C0C14E92}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6549F504-C43A-43F3-B8CD-D077AF0427C8}\ProxyStubClsid32	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\ProgID	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}\3.0\0\win32\ = "C:\\Program Files (x86)\\BonziBuddy432\\ssa3d30.ocx"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A981630-37C3-11CE-9E52-0000C0554C0A}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4D-2CDD-11D3-9DD0-D3CD4078982A}\Version	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB61DB30-B032-11D0-A853-0000C02AC6DB}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1\ = "Microsoft Agent Control 1.5"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{311CFF50-3889-11CE-9E52-0000C0554C0A}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D31-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{643F1354-1D07-11CE-9E52-0000C0554C0A}\InprocServer32	BonziBuddy432.exe

Modifies system certificate store 2 TTPs 30 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

OperaSetup.exersWSC.exersEngineSvc.exesaBSI.exersEngineSvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob = 5c000000010000000400000000040000190000000100000010000000163bfe3a4cc2a862bfa2e635f8b2ee0203000000010000001400000024a40a1f573643a67f0a4b0749f6a22bf28abb6b680000000100000008000000000036044ddfd3017e0000000100000008000000000010c51e92d2011d0000000100000010000000177f789e96523e206c796917c848d50f0b000000010000001200000056006500720069005300690067006e000000140000000100000014000000902f82a37c4797011e0f4ba5af1313c2111347ea090000000100000016000000301406082b0601050507030306082b06010505070304620000000100000020000000ac1fae74b4e97106092131f2e7f746b6734386742bdfd8423731aed14a4ce4460f0000000100000010000000a2011111cc748d961c35c67a0d5c8af5040000000100000010000000dd753f56bfbbc5a17a1553c690f9fbcc20000000010000004402000030820240308201a9021003c78f37db9228df3cbb1aad82fa6710300d06092a864886f70d010102050030613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c697368657273204341301e170d3936303430393030303030305a170d3034303130373233353935395a30613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c69736865727320434130819f300d06092a864886f70d010101050003818d0030818902818100c3d3696552019454ab28c66218b35455c54487454a3bc27ed8d3d7c880868dd80cf1169ccc6ba929b28f767392c8c562a63ced1e0575f013006c144dd4989007be697381b8624e311ed1fcc90ceb7d90bfaeb44751ec6fce643502d67d670577e28fd951d7fb9719bc3ed77781c643ddf2dddfcaa3838bcb41c13d224848a6190203010001300d06092a864886f70d010102050003818100b5bcb0756a89a286bd6478c3a732757211aa26021760304ce3483419b9524a511880fe532d7bd5318cc5659941412ff2ae637ae8739915901a1f7a8b41d08e3ad0cd383444d075f8ea71c481193817354aaec53e32e621b805c093e1c7385cd8f793386490ed54cecad3d3d05fef049bde0282dd8829b1c34fa5cd7164313c3c	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 5c000000010000000400000000040000190000000100000010000000e53d34cecb05c17ee332c749d78c02560f000000010000001000000065fc47520f66383962ec0b7b88a0821d03000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd2509000000010000000c000000300a06082b060105050703080b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e00670020004300410000001400000001000000140000003edf290cc1f5cc732ceb3d24e17e52dabd27e2f0040000000100000010000000ebb04f1d3a2e372f1dda6e27d6b680fa2000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob = 0f0000000100000010000000a2011111cc748d961c35c67a0d5c8af5620000000100000020000000ac1fae74b4e97106092131f2e7f746b6734386742bdfd8423731aed14a4ce446090000000100000016000000301406082b0601050507030306082b06010505070304140000000100000014000000902f82a37c4797011e0f4ba5af1313c2111347ea0b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000177f789e96523e206c796917c848d50f7e0000000100000008000000000010c51e92d201680000000100000008000000000036044ddfd30103000000010000001400000024a40a1f573643a67f0a4b0749f6a22bf28abb6b20000000010000004402000030820240308201a9021003c78f37db9228df3cbb1aad82fa6710300d06092a864886f70d010102050030613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c697368657273204341301e170d3936303430393030303030305a170d3034303130373233353935395a30613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c69736865727320434130819f300d06092a864886f70d010101050003818d0030818902818100c3d3696552019454ab28c66218b35455c54487454a3bc27ed8d3d7c880868dd80cf1169ccc6ba929b28f767392c8c562a63ced1e0575f013006c144dd4989007be697381b8624e311ed1fcc90ceb7d90bfaeb44751ec6fce643502d67d670577e28fd951d7fb9719bc3ed77781c643ddf2dddfcaa3838bcb41c13d224848a6190203010001300d06092a864886f70d010102050003818100b5bcb0756a89a286bd6478c3a732757211aa26021760304ce3483419b9524a511880fe532d7bd5318cc5659941412ff2ae637ae8739915901a1f7a8b41d08e3ad0cd383444d075f8ea71c481193817354aaec53e32e621b805c093e1c7385cd8f793386490ed54cecad3d3d05fef049bde0282dd8829b1c34fa5cd7164313c3c	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 040000000100000010000000ebb04f1d3a2e372f1dda6e27d6b680fa1400000001000000140000003edf290cc1f5cc732ceb3d24e17e52dabd27e2f00b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e006700200043004100000009000000010000000c000000300a06082b0601050507030803000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd250f000000010000001000000065fc47520f66383962ec0b7b88a0821d190000000100000010000000e53d34cecb05c17ee332c749d78c02562000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob = 040000000100000010000000dd753f56bfbbc5a17a1553c690f9fbcc0f0000000100000010000000a2011111cc748d961c35c67a0d5c8af5620000000100000020000000ac1fae74b4e97106092131f2e7f746b6734386742bdfd8423731aed14a4ce446090000000100000016000000301406082b0601050507030306082b06010505070304140000000100000014000000902f82a37c4797011e0f4ba5af1313c2111347ea0b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000177f789e96523e206c796917c848d50f7e0000000100000008000000000010c51e92d201680000000100000008000000000036044ddfd30103000000010000001400000024a40a1f573643a67f0a4b0749f6a22bf28abb6b190000000100000010000000163bfe3a4cc2a862bfa2e635f8b2ee0220000000010000004402000030820240308201a9021003c78f37db9228df3cbb1aad82fa6710300d06092a864886f70d010102050030613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c697368657273204341301e170d3936303430393030303030305a170d3034303130373233353935395a30613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c69736865727320434130819f300d06092a864886f70d010101050003818d0030818902818100c3d3696552019454ab28c66218b35455c54487454a3bc27ed8d3d7c880868dd80cf1169ccc6ba929b28f767392c8c562a63ced1e0575f013006c144dd4989007be697381b8624e311ed1fcc90ceb7d90bfaeb44751ec6fce643502d67d670577e28fd951d7fb9719bc3ed77781c643ddf2dddfcaa3838bcb41c13d224848a6190203010001300d06092a864886f70d010102050003818100b5bcb0756a89a286bd6478c3a732757211aa26021760304ce3483419b9524a511880fe532d7bd5318cc5659941412ff2ae637ae8739915901a1f7a8b41d08e3ad0cd383444d075f8ea71c481193817354aaec53e32e621b805c093e1c7385cd8f793386490ed54cecad3d3d05fef049bde0282dd8829b1c34fa5cd7164313c3c	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob = 190000000100000010000000163bfe3a4cc2a862bfa2e635f8b2ee0203000000010000001400000024a40a1f573643a67f0a4b0749f6a22bf28abb6b680000000100000008000000000036044ddfd3017e0000000100000008000000000010c51e92d2011d0000000100000010000000177f789e96523e206c796917c848d50f0b000000010000001200000056006500720069005300690067006e000000140000000100000014000000902f82a37c4797011e0f4ba5af1313c2111347ea090000000100000016000000301406082b0601050507030306082b06010505070304620000000100000020000000ac1fae74b4e97106092131f2e7f746b6734386742bdfd8423731aed14a4ce4460f0000000100000010000000a2011111cc748d961c35c67a0d5c8af520000000010000004402000030820240308201a9021003c78f37db9228df3cbb1aad82fa6710300d06092a864886f70d010102050030613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c697368657273204341301e170d3936303430393030303030305a170d3034303130373233353935395a30613111300f06035504071308496e7465726e657431173015060355040a130e566572695369676e2c20496e632e31333031060355040b132a566572695369676e20436f6d6d65726369616c20536f667477617265205075626c69736865727320434130819f300d06092a864886f70d010101050003818d0030818902818100c3d3696552019454ab28c66218b35455c54487454a3bc27ed8d3d7c880868dd80cf1169ccc6ba929b28f767392c8c562a63ced1e0575f013006c144dd4989007be697381b8624e311ed1fcc90ceb7d90bfaeb44751ec6fce643502d67d670577e28fd951d7fb9719bc3ed77781c643ddf2dddfcaa3838bcb41c13d224848a6190203010001300d06092a864886f70d010102050003818100b5bcb0756a89a286bd6478c3a732757211aa26021760304ce3483419b9524a511880fe532d7bd5318cc5659941412ff2ae637ae8739915901a1f7a8b41d08e3ad0cd383444d075f8ea71c481193817354aaec53e32e621b805c093e1c7385cd8f793386490ed54cecad3d3d05fef049bde0282dd8829b1c34fa5cd7164313c3c	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

NTFS ADS 8 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 388583.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 372876.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 119804.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 489616.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 399256.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 812998.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 490546.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 313846.crdownload:SmartScreen	msedge.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 443 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

qbittorrent.exe

pid process

5340 qbittorrent.exe

description	flow	ioc
HTTP User-Agent header	443	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5340	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RobloxPlayerLauncher.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.tmpsaBSI.exeServiceHost.exeRAVEndPointProtection-installer.exe

pid	process
1256	RobloxPlayerLauncher.exe
1256	RobloxPlayerLauncher.exe
3604	msedge.exe
3604	msedge.exe
1860	msedge.exe
1860	msedge.exe
1428	identity_helper.exe
1428	identity_helper.exe
4808	msedge.exe
4808	msedge.exe
2340	msedge.exe
2340	msedge.exe
1616	msedge.exe
1616	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
2284	msedge.exe
2284	msedge.exe
4684	msedge.exe
4684	msedge.exe
3320	msedge.exe
3320	msedge.exe
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
4376	saBSI.exe
5824	ServiceHost.exe
5824	ServiceHost.exe
5012	RAVEndPointProtection-installer.exe
5012	RAVEndPointProtection-installer.exe
5012	RAVEndPointProtection-installer.exe
5012	RAVEndPointProtection-installer.exe
5012	RAVEndPointProtection-installer.exe
5012	RAVEndPointProtection-installer.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

qbittorrent.exeOpenWith.exemsedge.exe

pid process

5340 qbittorrent.exe
2392 OpenWith.exe
1860 msedge.exe
8512
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

fltmc.exe

pid process

6596 fltmc.exe
648
648
648

pid	process
5340	qbittorrent.exe
2392	OpenWith.exe
1860	msedge.exe
8512

pid	process
6596	fltmc.exe
648
648
648

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

prod0.exeRAVEndPointProtection-installer.exeqbittorrent.exewevtutil.exefltmc.exewevtutil.exersWSC.exersWSC.exersEngineSvc.exersEngineSvc.exeRAVVPN-installer.exersHelper.exersVPNSvc.exersVPNSvc.exersAppUI.exe

description	pid	process
Token: SeDebugPrivilege	4512	prod0.exe
Token: SeDebugPrivilege	5012	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	5012	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	5012	RAVEndPointProtection-installer.exe
Token: 33	5340	qbittorrent.exe
Token: SeIncBasePriorityPrivilege	5340	qbittorrent.exe
Token: SeDebugPrivilege	5012	RAVEndPointProtection-installer.exe
Token: SeSecurityPrivilege	1468	wevtutil.exe
Token: SeBackupPrivilege	1468	wevtutil.exe
Token: SeLoadDriverPrivilege	6596	fltmc.exe
Token: SeSecurityPrivilege	6816	wevtutil.exe
Token: SeBackupPrivilege	6816	wevtutil.exe
Token: SeDebugPrivilege	5920	rsWSC.exe
Token: SeDebugPrivilege	5248	rsWSC.exe
Token: SeDebugPrivilege	4376	rsEngineSvc.exe
Token: SeDebugPrivilege	4376	rsEngineSvc.exe
Token: SeDebugPrivilege	4376	rsEngineSvc.exe
Token: SeBackupPrivilege	4376	rsEngineSvc.exe
Token: SeRestorePrivilege	4376	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	4376	rsEngineSvc.exe
Token: SeDebugPrivilege	6292	rsEngineSvc.exe
Token: SeDebugPrivilege	6292	rsEngineSvc.exe
Token: SeDebugPrivilege	6292	rsEngineSvc.exe
Token: SeBackupPrivilege	6292	rsEngineSvc.exe
Token: SeRestorePrivilege	6292	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	6292	rsEngineSvc.exe
Token: SeDebugPrivilege	6252	RAVVPN-installer.exe
Token: SeShutdownPrivilege	6252	RAVVPN-installer.exe
Token: SeCreatePagefilePrivilege	6252	RAVVPN-installer.exe
Token: SeShutdownPrivilege	6292	rsEngineSvc.exe
Token: SeCreatePagefilePrivilege	6292	rsEngineSvc.exe
Token: SeDebugPrivilege	6932	rsHelper.exe
Token: SeDebugPrivilege	6932	rsHelper.exe
Token: SeDebugPrivilege	6932	rsHelper.exe
Token: SeBackupPrivilege	6932	rsHelper.exe
Token: SeRestorePrivilege	6932	rsHelper.exe
Token: SeLoadDriverPrivilege	6932	rsHelper.exe
Token: SeDebugPrivilege	6252	RAVVPN-installer.exe
Token: SeDebugPrivilege	6872	rsVPNSvc.exe
Token: SeDebugPrivilege	6872	rsVPNSvc.exe
Token: SeDebugPrivilege	6872	rsVPNSvc.exe
Token: SeBackupPrivilege	6872	rsVPNSvc.exe
Token: SeRestorePrivilege	6872	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	6872	rsVPNSvc.exe
Token: SeDebugPrivilege	6964	rsVPNSvc.exe
Token: SeDebugPrivilege	6964	rsVPNSvc.exe
Token: SeDebugPrivilege	6964	rsVPNSvc.exe
Token: SeBackupPrivilege	6964	rsVPNSvc.exe
Token: SeRestorePrivilege	6964	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	6964	rsVPNSvc.exe
Token: SeDebugPrivilege	6964	rsVPNSvc.exe
Token: SeDebugPrivilege	6964	rsVPNSvc.exe
Token: SeBackupPrivilege	6964	rsVPNSvc.exe
Token: SeRestorePrivilege	6964	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	6964	rsVPNSvc.exe
Token: SeShutdownPrivilege	6964	rsVPNSvc.exe
Token: SeCreatePagefilePrivilege	6964	rsVPNSvc.exe
Token: SeDebugPrivilege	1468	rsAppUI.exe
Token: SeShutdownPrivilege	1468	rsAppUI.exe
Token: SeCreatePagefilePrivilege	1468	rsAppUI.exe
Token: SeShutdownPrivilege	1468	rsAppUI.exe
Token: SeCreatePagefilePrivilege	1468	rsAppUI.exe
Token: SeShutdownPrivilege	1468	rsAppUI.exe
Token: SeCreatePagefilePrivilege	1468	rsAppUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeBarbie and her Sisters Puppy Rescue_Eo-DwL1.tmpqbittorrent.exersAppUI.exe

pid	process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
4820	Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeqbittorrent.exersAppUI.exersAppUI.exersAppUI.exe

pid	process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1468	rsAppUI.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
6976	rsAppUI.exe
8500	rsAppUI.exe
8500	rsAppUI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeqbittorrent.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
2284	msedge.exe
3320	msedge.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
5340	qbittorrent.exe
7536	OpenWith.exe
7712	OpenWith.exe
7332	OpenWith.exe
8736	OpenWith.exe
7332	OpenWith.exe
7332	OpenWith.exe
7332	OpenWith.exe
7332	OpenWith.exe
7332	OpenWith.exe
7332	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8288	OpenWith.exe
8736	OpenWith.exe
8736	OpenWith.exe
8288	OpenWith.exe
8288	OpenWith.exe
7452	OpenWith.exe
7452	OpenWith.exe
7452	OpenWith.exe
7560	OpenWith.exe
9164	OpenWith.exe
9164	OpenWith.exe
9164	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
1304	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7508	OpenWith.exe
7664	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe
2392	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exemsedge.exe

description	pid	process	target process
PID 3852 wrote to memory of 1236	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 3852 wrote to memory of 1236	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 3852 wrote to memory of 1236	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 3852 wrote to memory of 1256	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 3852 wrote to memory of 1256	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 3852 wrote to memory of 1256	3852	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1256 wrote to memory of 924	1256	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1256 wrote to memory of 924	1256	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1256 wrote to memory of 924	1256	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1860 wrote to memory of 960	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 960	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3896	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3604	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 3604	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe
PID 1860 wrote to memory of 2360	1860	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

pid process

9176
8972

pid	process
9176
8972

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=3b50cd7a1711a7bcc79000fcd87d819e29d4aca7 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7b8,0x7bc,0x7c0,0x7b4,0x6c4,0x59eff4,0x59f004,0x59f014
2⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\RBX-52509A10\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RBX-52509A10\RobloxPlayerLauncher.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\RBX-52509A10\RobloxPlayerLauncher.exe
C:\Users\Admin\AppData\Local\Temp\RBX-52509A10\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=771b72f8e35b7c83e6a74bce1125195c9f128786 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5e0,0x5e4,0x5e8,0x5a8,0x5fc,0xfd7948,0xfd7958,0xfd7968
3⤵
- Executes dropped EXE
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9ccac46f8,0x7ff9ccac4708,0x7ff9ccac4718
2⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
2⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1340 /prefetch:1
2⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
2⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6184 /prefetch:8
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6960 /prefetch:8
2⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6880 /prefetch:8
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
2⤵
PID:344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7172 /prefetch:8
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
2⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
2⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:1
2⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
2⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
2⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
2⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
2⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7912 /prefetch:8
2⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7364 /prefetch:8
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8208 /prefetch:8
2⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6796 /prefetch:8
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
2⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8340 /prefetch:1
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
2⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7828 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
2⤵
PID:6268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:7220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
2⤵
PID:7368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 /prefetch:8
2⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
2⤵
PID:7268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
2⤵
PID:7464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8496 /prefetch:8
2⤵
PID:8048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8612 /prefetch:8
2⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8524 /prefetch:8
2⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9120 /prefetch:8
2⤵
PID:7180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
2⤵
PID:8608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
2⤵
PID:8616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
2⤵
PID:8860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8472 /prefetch:1
2⤵
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:1
2⤵
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
2⤵
PID:8128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
2⤵
PID:7580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8708 /prefetch:1
2⤵
PID:7624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:1
2⤵
PID:8744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
PID:6972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8744 /prefetch:8
2⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:8392

C:\Users\Admin\Downloads\FREDDO.exe
"C:\Users\Admin\Downloads\FREDDO.exe"
2⤵
- Checks computer location settings
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
3⤵
- Checks computer location settings
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@NewKeanoGames-lp2rn
4⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9ccac46f8,0x7ff9ccac4708,0x7ff9ccac4718
5⤵
PID:5288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\msg.vbs"
4⤵
PID:8996

C:\Windows\system32\reg.exe
Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
4⤵
PID:7000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
2⤵
PID:7404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:1
2⤵
PID:9100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
2⤵
PID:6548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8904 /prefetch:1
2⤵
PID:7140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9088 /prefetch:1
2⤵
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
2⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:1
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1
2⤵
PID:8320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
2⤵
PID:7212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8572 /prefetch:1
2⤵
PID:8396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
2⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7388 /prefetch:8
2⤵
PID:7428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
2⤵
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
2⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:8972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
2⤵
PID:7544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
2⤵
PID:7556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8072 /prefetch:8
2⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
2⤵
PID:8936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8436 /prefetch:1
2⤵
PID:8860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:1
2⤵
PID:6552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:7016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
2⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8676 /prefetch:1
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
2⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
2⤵
PID:8144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:1
2⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:1
2⤵
PID:6556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9012 /prefetch:1
2⤵
PID:8852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:1
2⤵
PID:7332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8588 /prefetch:1
2⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
2⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
2⤵
PID:8780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
PID:7512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=161 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
2⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=163 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
2⤵
PID:7508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8828 /prefetch:8
2⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
2⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:6604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=168 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
2⤵
PID:8780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:7608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=171 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:7696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=173 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:1
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=174 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9008 /prefetch:1
2⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 /prefetch:8
2⤵
PID:7740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
2⤵
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=177 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
2⤵
PID:7368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=178 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8820 /prefetch:1
2⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=179 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=180 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:8636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=181 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:8656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=182 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
2⤵
PID:8316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=183 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=184 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1440 /prefetch:1
2⤵
PID:6704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=185 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
2⤵
PID:8264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=187 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=189 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
2⤵
PID:7764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9152 /prefetch:8
2⤵
PID:7832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7404 /prefetch:8
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7404 /prefetch:8
2⤵
PID:9172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=194 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9096 /prefetch:1
2⤵
PID:7336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8364 /prefetch:8
2⤵
PID:7704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8562286007976230967,2268667853724680903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7840 /prefetch:8
2⤵
PID:6120

C:\Users\Admin\Downloads\Bonzify (2).exe
"C:\Users\Admin\Downloads\Bonzify (2).exe"
2⤵
- Drops file in Windows directory
PID:8500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
3⤵
PID:7420

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
4⤵
- Kills process with taskkill
PID:4940

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
4⤵
PID:7956

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
4⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
3⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
PID:7136

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
4⤵
- Modifies registry class
PID:8004

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
4⤵
PID:8028

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
4⤵
PID:8032

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
4⤵
PID:8184

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
4⤵
PID:6476

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
4⤵
PID:5556

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
4⤵
PID:5104

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
4⤵
PID:3776

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:7432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
3⤵
PID:4220

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
4⤵
PID:2288

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
4⤵
PID:6264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
3⤵
PID:5372

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
4⤵
PID:3800

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
4⤵
PID:8780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
3⤵
PID:4376

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
4⤵
PID:1332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)
4⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
3⤵
PID:7832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
4⤵
PID:5600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)
4⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
PID:8588

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
4⤵
PID:4348

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
4⤵
PID:6268

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:8424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
3⤵
PID:7548

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
4⤵
- Possible privilege escalation attempt
PID:9100

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)
4⤵
PID:7628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
3⤵
PID:4456

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
4⤵
PID:8868

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)
4⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
3⤵
PID:8260

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
4⤵
PID:7576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)
4⤵
PID:8728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
3⤵
PID:4536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
4⤵
PID:3100

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)
4⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
3⤵
PID:2168

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe"
4⤵
PID:3408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe" /grant "everyone":(f)
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
3⤵
PID:5500

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe"
4⤵
PID:3280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe" /grant "everyone":(f)
4⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
3⤵
PID:5460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe"
4⤵
PID:4816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe" /grant "everyone":(f)
4⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
3⤵
PID:2156

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe"
4⤵
PID:6672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe" /grant "everyone":(f)
4⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:9012

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:6784

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
4⤵
- Modifies file permissions
PID:7740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
3⤵
PID:6912

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:7580

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
3⤵
PID:1632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
4⤵
PID:6564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
4⤵
PID:5432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
3⤵
PID:4752

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
4⤵
- Possible privilege escalation attempt
PID:8376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
4⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
3⤵
PID:5632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe"
4⤵
PID:7964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
4⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
3⤵
PID:3800

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
4⤵
PID:620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
4⤵
PID:6476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
3⤵
PID:760

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
4⤵
PID:7448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
4⤵
PID:7432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
3⤵
PID:6636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe"
4⤵
PID:1200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe" /grant "everyone":(f)
4⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:6468

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:7832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
4⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:5220

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
PID:6812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
4⤵
PID:6908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
3⤵
PID:5864

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe"
4⤵
PID:8552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
4⤵
PID:6864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
3⤵
PID:4996

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"
4⤵
PID:5072

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
4⤵
PID:8852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
3⤵
PID:5136

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe"
4⤵
PID:1068

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
4⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
3⤵
PID:2792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
4⤵
PID:8636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
4⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
3⤵
PID:7700

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe"
4⤵
PID:5464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
4⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
3⤵
PID:8792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe"
4⤵
PID:6544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe" /grant "everyone":(f)
4⤵
PID:7728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
3⤵
PID:6268

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
4⤵
PID:8496

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /grant "everyone":(f)
4⤵
PID:9004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
PID:8880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
4⤵
PID:4360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /grant "everyone":(f)
4⤵
PID:7936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
3⤵
PID:4424

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe"
4⤵
PID:8756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
4⤵
PID:7160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
3⤵
PID:7220

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe"
4⤵
PID:8992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe" /grant "everyone":(f)
4⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
3⤵
PID:7988

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe"
4⤵
PID:4156

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe" /grant "everyone":(f)
4⤵
PID:8988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
3⤵
PID:680

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
4⤵
PID:5900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)
4⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
3⤵
PID:2168

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
4⤵
PID:2412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
4⤵
PID:6808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
3⤵
PID:2288

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
4⤵
PID:4772

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)
4⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:4816

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
4⤵
PID:6672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
3⤵
PID:2156

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
4⤵
PID:8532

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
3⤵
PID:3768

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
4⤵
PID:4284

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)
4⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:8268

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:7580

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
4⤵
PID:7944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:6388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
4⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:184

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5468

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)
4⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
3⤵
PID:2128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
4⤵
PID:3256

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
4⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
3⤵
PID:8100

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
4⤵
PID:1524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
4⤵
PID:9128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
3⤵
PID:7468

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
4⤵
PID:6876

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
4⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
3⤵
PID:6924

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
4⤵
PID:6852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
4⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
3⤵
PID:4528

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
4⤵
PID:4944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
4⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
3⤵
PID:7572

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
4⤵
PID:8784

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
4⤵
PID:6880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
3⤵
PID:8660

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
4⤵
PID:6516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)
4⤵
PID:7872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
3⤵
PID:9104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
4⤵
PID:7736

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)
4⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
3⤵
PID:5396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
4⤵
PID:7680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)
4⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
3⤵
PID:6792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
4⤵
PID:8544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
3⤵
PID:1272

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
4⤵
PID:7648

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
4⤵
PID:8984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
3⤵
PID:7940

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
4⤵
PID:7492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)
4⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
3⤵
PID:2580

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
4⤵
PID:7640

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:5604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
3⤵
PID:6072

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
4⤵
PID:9056

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)
4⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
3⤵
PID:8320

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
4⤵
PID:7256

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)
4⤵
PID:8912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
3⤵
PID:8424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8496

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
4⤵
- Modifies file permissions
PID:9016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
4⤵
PID:8588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:7388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
4⤵
PID:7160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
3⤵
PID:2032

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
4⤵
PID:976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
4⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:6840

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5056

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
4⤵
PID:7092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:8988

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:5644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
4⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:9196

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
4⤵
PID:7396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:2340

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
PID:6552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
4⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:6808

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
4⤵
PID:5696

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
4⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
3⤵
PID:3512

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
4⤵
PID:4816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
4⤵
PID:7896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:8196

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
4⤵
PID:4232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
4⤵
PID:8944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:1848

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
PID:6280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)
4⤵
PID:7312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:2132

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
4⤵
PID:4616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
4⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:8600

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
4⤵
PID:6388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)
4⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:4152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
4⤵
PID:6264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)
4⤵
PID:7712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:8120

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:8376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
4⤵
PID:9008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
3⤵
PID:5680

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
4⤵
PID:4372

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
4⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
3⤵
PID:7928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
4⤵
PID:1492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
4⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
3⤵
PID:3776

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
4⤵
PID:7360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)
4⤵
PID:9112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:5876

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:3168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
4⤵
PID:6036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:5720

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:6052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)
4⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:7832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
4⤵
PID:7676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
4⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:9212

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:9204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:7796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
3⤵
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
4⤵
PID:5568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
4⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
3⤵
PID:8584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8544

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
4⤵
PID:7524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)
4⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:7480

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
4⤵
PID:5684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)
4⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4072

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:7500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
4⤵
PID:7032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:5464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
4⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:2680

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
4⤵
PID:7540

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
4⤵
PID:8564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
3⤵
PID:412

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
4⤵
PID:6268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
4⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:5328

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Possible privilege escalation attempt
PID:8880

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)
4⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
3⤵
PID:8756

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
4⤵
PID:3696

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
4⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
3⤵
PID:2636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
4⤵
PID:2440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
4⤵
PID:8200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:7204

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
4⤵
PID:2264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
4⤵
- Possible privilege escalation attempt
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
3⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
4⤵
- Modifies file permissions
PID:5388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
4⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
3⤵
PID:9092

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
4⤵
PID:7396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
4⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
3⤵
PID:2168

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
4⤵
PID:2560

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
4⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
3⤵
PID:2288

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
4⤵
PID:2000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
4⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
3⤵
PID:6672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
4⤵
PID:6524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
4⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
3⤵
PID:1344

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
4⤵
PID:8944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)
4⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
3⤵
PID:5968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4284

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
4⤵
PID:7312

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)
4⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
3⤵
PID:8064

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
4⤵
PID:7236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
3⤵
PID:8220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6388

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
4⤵
PID:3076

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
4⤵
PID:7792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
3⤵
PID:5848

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
4⤵
PID:8108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)
4⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
3⤵
PID:8120

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
4⤵
PID:7964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)
4⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
3⤵
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:9128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
4⤵
PID:2468

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)
4⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
3⤵
PID:3800

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
4⤵
PID:8664

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
4⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
3⤵
PID:7360

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
4⤵
PID:4528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)
4⤵
PID:9068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
3⤵
PID:1896

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
4⤵
- Possible privilege escalation attempt
PID:7592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)
4⤵
PID:7572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
3⤵
PID:5720

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
4⤵
PID:6248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
3⤵
PID:7832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
4⤵
PID:7884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
4⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
3⤵
PID:7660

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
4⤵
PID:8508

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)
4⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
3⤵
PID:6908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
4⤵
PID:5136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
4⤵
PID:6584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
3⤵
PID:6424

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
4⤵
PID:5656

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
4⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
3⤵
PID:1272

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
4⤵
PID:8548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)
4⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
3⤵
PID:9108

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
4⤵
PID:3112

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
4⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
3⤵
PID:4312

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
4⤵
PID:9056

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
4⤵
- Modifies file permissions
PID:8680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
3⤵
PID:6544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7256

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
4⤵
PID:6984

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
4⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
3⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:9016

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
4⤵
PID:4360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
4⤵
PID:8720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
3⤵
PID:8880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7160

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
4⤵
PID:4324

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
4⤵
PID:7544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
3⤵
PID:976

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
4⤵
PID:4940

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)
4⤵
PID:6376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
3⤵
PID:7956

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
4⤵
PID:6840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
4⤵
PID:7404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
3⤵
PID:7412

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
4⤵
PID:3216

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)
4⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
3⤵
PID:1704

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
4⤵
PID:528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)
4⤵
PID:7396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
3⤵
PID:1796

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
4⤵
PID:7152

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)
4⤵
PID:6620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
3⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6808

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
4⤵
PID:2288

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)
4⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
3⤵
PID:8532

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
4⤵
PID:6972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
4⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
3⤵
PID:4880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
4⤵
PID:408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
3⤵
PID:4232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
4⤵
PID:9012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:7980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
3⤵
PID:5432

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
4⤵
PID:1632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)
4⤵
PID:6684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
3⤵
PID:8132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8600

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
4⤵
PID:2812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)
4⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:7112

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
4⤵
PID:4796

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
4⤵
PID:8008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:7748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2128

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
4⤵
PID:5336

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
4⤵
PID:8120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:5188

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
4⤵
PID:8780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
4⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:5372

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
4⤵
PID:8372

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
4⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:7928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
4⤵
PID:7688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:7960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:5852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
4⤵
PID:7592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:6052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
4⤵
- Modifies file permissions
PID:8592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
4⤵
PID:5720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:4044

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
4⤵
PID:9204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
4⤵
PID:8016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
4⤵
PID:636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
4⤵
PID:7660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:8508

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
4⤵
PID:4404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
4⤵
PID:8700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
4⤵
- Possible privilege escalation attempt
PID:5308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)
4⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:7492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7940

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
4⤵
PID:2832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
4⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:9104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
4⤵
PID:7700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)
4⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:8212

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
4⤵
PID:5464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)
4⤵
PID:8892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:9088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8320

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:7368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
4⤵
- Modifies file permissions
PID:6268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:4308

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
4⤵
PID:1184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
4⤵
PID:8720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:8992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
4⤵
PID:1928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
4⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:4536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
4⤵
PID:7812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)
4⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:3228

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
4⤵
PID:5416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
4⤵
PID:5644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:8988

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
4⤵
PID:5672

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)
4⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:9136

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
4⤵
PID:6868

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
4⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:7564

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
4⤵
PID:4016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
4⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:4816

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
4⤵
PID:4772

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
4⤵
PID:6556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:6788

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
4⤵
PID:5700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
4⤵
PID:5968

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)
4⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:4284

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
4⤵
PID:6572

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
4⤵
PID:8064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:8268

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
4⤵
PID:1632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
4⤵
PID:7944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:7868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
4⤵
PID:2812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
4⤵
PID:6264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:8032

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
4⤵
PID:8184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
4⤵
PID:9008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:7748

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
4⤵
PID:9192

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)
4⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:5188

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
4⤵
PID:7432

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
4⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\msagent\AgentSvr.exe"
3⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8372

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\msagent\AgentSvr.exe"
4⤵
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\msagent\AgentSvr.exe" /grant "everyone":(f)
4⤵
PID:9068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"
3⤵
PID:7188

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\notepad.exe"
4⤵
PID:7592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\notepad.exe" /grant "everyone":(f)
4⤵
PID:7440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"
3⤵
PID:8872

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\PrintDialog\PrintDialog.exe"
4⤵
PID:5156

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)
4⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"
3⤵
PID:9024

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\regedit.exe"
4⤵
PID:8016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\regedit.exe" /grant "everyone":(f)
4⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"
3⤵
PID:7524

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\servicing\TrustedInstaller.exe"
4⤵
PID:8700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)
4⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"
3⤵
PID:8840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5684

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Speech\Common\sapisvr.exe"
4⤵
PID:5136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)
4⤵
PID:7228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"
3⤵
PID:8960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\splwow64.exe"
4⤵
PID:8684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\splwow64.exe" /grant "everyone":(f)
4⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\sysmon.exe"
3⤵
PID:8636

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\sysmon.exe"
4⤵
PID:7540

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\sysmon.exe" /grant "everyone":(f)
4⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\agentactivationruntimestarter.exe"
3⤵
PID:4540

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\agentactivationruntimestarter.exe"
4⤵
PID:4168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\agentactivationruntimestarter.exe" /grant "everyone":(f)
4⤵
PID:7652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\appidtel.exe"
3⤵
PID:8900

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\appidtel.exe"
4⤵
PID:412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\appidtel.exe" /grant "everyone":(f)
4⤵
PID:7816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"
3⤵
PID:1364

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ARP.EXE"
4⤵
PID:5764

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)
4⤵
PID:9060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"
3⤵
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\at.exe"
4⤵
PID:9096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\at.exe" /grant "everyone":(f)
4⤵
PID:7588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"
3⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\AtBroker.exe"
4⤵
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)
4⤵
- Modifies file permissions
PID:5792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"
3⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8200

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\attrib.exe"
4⤵
PID:2324

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)
4⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"
3⤵
PID:1820

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\auditpol.exe"
4⤵
PID:4052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)
4⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"
3⤵
PID:9196

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autochk.exe"
4⤵
PID:9148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)
4⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"
3⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7396

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autoconv.exe"
4⤵
PID:7416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)
4⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"
3⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\autofmt.exe"
4⤵
PID:3468

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)
4⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\backgroundTaskHost.exe"
3⤵
PID:6556

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\backgroundTaskHost.exe"
4⤵
PID:640

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\backgroundTaskHost.exe" /grant "everyone":(f)
4⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\BackgroundTransferHost.exe"
3⤵
PID:1888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\BackgroundTransferHost.exe"
4⤵
PID:6216

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\BackgroundTransferHost.exe" /grant "everyone":(f)
4⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"
3⤵
PID:8944

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bitsadmin.exe"
4⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)
4⤵
PID:7980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"
3⤵
PID:7052

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bootcfg.exe"
4⤵
PID:8152

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"
3⤵
PID:8004

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\bthudtask.exe"
4⤵
PID:6684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)
4⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ByteCodeGenerator.exe"
3⤵
PID:5452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5376

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ByteCodeGenerator.exe"
4⤵
PID:7576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ByteCodeGenerator.exe" /grant "everyone":(f)
4⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"
3⤵
PID:8008

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cacls.exe"
4⤵
PID:8184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)
4⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"
3⤵
PID:6876

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\calc.exe"
4⤵
PID:8248

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CameraSettingsUIHost.exe"
3⤵
PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CameraSettingsUIHost.exe"
4⤵
PID:2548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CameraSettingsUIHost.exe" /grant "everyone":(f)
4⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"
3⤵
PID:5104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CertEnrollCtrl.exe"
4⤵
PID:6244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)
4⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"
3⤵
PID:7960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4528

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\certreq.exe"
4⤵
PID:6604

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)
4⤵
PID:7872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"
3⤵
PID:8660

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\certutil.exe"
4⤵
PID:5908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)
4⤵
PID:6864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"
3⤵
PID:4044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6728

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\charmap.exe"
4⤵
PID:512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)
4⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CheckNetIsolation.exe"
3⤵
PID:7840

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CheckNetIsolation.exe"
4⤵
PID:5428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CheckNetIsolation.exe" /grant "everyone":(f)
4⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"
3⤵
PID:8844

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\chkdsk.exe"
4⤵
PID:6756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)
4⤵
PID:8544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"
3⤵
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\chkntfs.exe"
4⤵
PID:8668

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)
4⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"
3⤵
PID:8036

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\choice.exe"
4⤵
PID:7556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)
4⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"
3⤵
PID:344

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cipher.exe"
4⤵
PID:9104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)
4⤵
PID:8972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"
3⤵
PID:8548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2680

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cleanmgr.exe"
4⤵
PID:9160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)
4⤵
PID:8564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"
3⤵
PID:2792

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cliconfg.exe"
4⤵
PID:3292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)
4⤵
PID:6544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"
3⤵
PID:8520

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\clip.exe"
4⤵
PID:5320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)
4⤵
PID:8604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudNotifications.exe"
3⤵
PID:8824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:8880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\CloudNotifications.exe"
4⤵
PID:8720

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\CloudNotifications.exe" /grant "everyone":(f)
4⤵
PID:8496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"
3⤵
PID:8076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4940

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmd.exe"
4⤵
PID:8448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)
4⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"
3⤵
PID:4324

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmdkey.exe"
4⤵
PID:8204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)
4⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"
3⤵
PID:3228

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmdl32.exe"
4⤵
PID:872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)
4⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
3⤵
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmmon32.exe"
4⤵
PID:3280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
4⤵
PID:7412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
3⤵
PID:6084

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\cmstp.exe"
4⤵
PID:9200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
4⤵
PID:8796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
3⤵
PID:6552

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\colorcpl.exe"
4⤵
PID:5224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
4⤵
PID:7236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
3⤵
PID:6912

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\comrepl.exe"
4⤵
PID:5432

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
4⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
3⤵
PID:4932

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
4⤵
PID:1524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
4⤵
PID:7112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
3⤵
PID:8556

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\comp.exe"
4⤵
PID:5688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
4⤵
PID:5188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
3⤵
PID:7996

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\compact.exe"
4⤵
PID:4524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
4⤵
PID:8392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
3⤵
PID:7928

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ComputerDefaults.exe"
4⤵
PID:7692

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
4⤵
PID:8872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
3⤵
PID:7180

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\control.exe"
4⤵
PID:7196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2276

C:\Users\Admin\Downloads\Barbie and her Sisters Puppy Rescue_Eo-DwL1.exe
"C:\Users\Admin\Downloads\Barbie and her Sisters Puppy Rescue_Eo-DwL1.exe"
1⤵
- Executes dropped EXE
PID:3780

C:\Users\Admin\AppData\Local\Temp\is-LGI4E.tmp\Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LGI4E.tmp\Barbie and her Sisters Puppy Rescue_Eo-DwL1.tmp" /SL5="$8027E,13603942,780800,C:\Users\Admin\Downloads\Barbie and her Sisters Puppy Rescue_Eo-DwL1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4820

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod0.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod0.exe" -ip:"dui=54283972-31eb-44bb-adba-4e057460c33c&dit=20240410181748&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&b=em&se=true" -vp:"dui=54283972-31eb-44bb-adba-4e057460c33c&dit=20240410181748&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&oip=26&ptl=7&dta=true" -dp:"dui=54283972-31eb-44bb-adba-4e057460c33c&dit=20240410181748&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100" -i -v -d -se=true
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Users\Admin\AppData\Local\Temp\bddl5arx.exe
"C:\Users\Admin\AppData\Local\Temp\bddl5arx.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552

C:\Users\Admin\AppData\Local\Temp\nst5B8D.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nst5B8D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\bddl5arx.exe" /silent
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
- Executes dropped EXE
PID:5224

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
6⤵
- Adds Run key to start application
PID:7064

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
- Checks processor information in registry
PID:4680

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:5704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
6⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6596

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6816

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
6⤵
- Executes dropped EXE
PID:5924

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\AppData\Local\Temp\pqzpkfpg.exe
"C:\Users\Admin\AppData\Local\Temp\pqzpkfpg.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3928

C:\Users\Admin\AppData\Local\Temp\nstF3E5.tmp\RAVVPN-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nstF3E5.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\pqzpkfpg.exe" /silent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6252

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
6⤵
- Executes dropped EXE
PID:5900

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6872

C:\Users\Admin\AppData\Local\Temp\ynchbncp.exe
"C:\Users\Admin\AppData\Local\Temp\ynchbncp.exe" /silent
4⤵
- Executes dropped EXE
PID:6080

C:\Users\Admin\AppData\Local\Temp\nst6627.tmp\SaferWeb-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nst6627.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\ynchbncp.exe" /silent
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:4540

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
6⤵
- Adds Run key to start application
PID:7480

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
- Checks processor information in registry
PID:7312

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:7768

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
6⤵
- Executes dropped EXE
PID:7420

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
6⤵
- Executes dropped EXE
PID:7940

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
6⤵
- Executes dropped EXE
PID:7908

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
6⤵
- Executes dropped EXE
PID:7832

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod1_extract\installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5272

C:\Program Files\McAfee\Temp3608612160\installer.exe
"C:\Program Files\McAfee\Temp3608612160\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6116

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
6⤵
PID:5316

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
- Loads dropped DLL
PID:6136

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
6⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:6044

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
6⤵
PID:5284

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
7⤵
- Loads dropped DLL
PID:4820

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
6⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:5232

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:3904

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2c0,0x2c4,0x2c8,0x298,0x2bc,0x71b9e1d0,0x71b9e1dc,0x71b9e1e8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4388

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4916

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3904 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240410181800" --session-guid=eb1011df-e94b-4e00-a353-a5887e3a708d --server-tracking-blob=ZmE5YzFmMDNlZTRmNmYwZjgwOTY1ODc4MWYzOGRiNDg3YWIzOTYxNzg1ZTM4MGM1YzZjZDU0OTM4MWRlZTQxMjp7ImNvdW50cnkiOiJJTCIsImVkaXRpb24iOiJjZGYiLCJpbnN0YWxsZXJfbmFtZSI6Ik9wZXJhU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmEifSwicXVlcnkiOiIvZWRpdGlvbi9jZGY/dXRtX2NvbnRlbnQ9Y2RmJnV0bV9tZWRpdW09cGIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI0NzU3NzIuMDk1MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19iIiwiY29udGVudCI6ImNkZiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6ImFpcyJ9LCJ1dWlkIjoiNGQ1NTg2MjEtNjlkNy00Nzk0LTk5ZDMtY2NmODEwMjY4YTg3In0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8005000000000000
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:388

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b4,0x2b8,0x2bc,0x268,0x2cc,0x7104e1d0,0x7104e1dc,0x7104e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
4⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\assistant_installer.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5512

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404101818001\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x790040,0x79004c,0x790058
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6344

C:\Windows\SysWOW64\netsh.exe
"netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\qbittorrent.exe "qBittorrent" ENABLE
3⤵
- Modifies Windows Firewall
PID:2416

C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\qbittorrent.exe
"C:\Users\Admin\AppData\Local\Temp\is-O7853.tmp\qbittorrent.exe" magnet:?xt=urn:btih:B18869C22B852CC7350388D1A3A48A388410B422
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5340

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5276

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5824

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:6276

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6820

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6848

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4828

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:544

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5248

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:3968

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:6292

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6932

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
- Executes dropped EXE
PID:6500

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:6976

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2576 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
PID:4688

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2736 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
PID:6176

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2900 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:7004

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3848 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4472

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4324 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7732

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4680 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8736

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4648 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8372

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4504 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7188

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2440 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8352

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1620 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:1140

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4816 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7428

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4988 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:2548

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:4432

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5284 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:6924

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5744 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8520

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4416 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:6396

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5304 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:4676

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4448 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:3408

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5100 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:6604

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4760 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:872

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2708 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:676

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5260 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:6724

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5128 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:2780

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3256 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8672

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5312 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:4768

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=2720 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7388

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5756 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:9056

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5580 --field-trial-handle=2580,i,6659919421795627875,9643170397789333656,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8432

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
- Executes dropped EXE
PID:7660

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:5748

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6964

\??\c:\program files\reasonlabs\VPN\ui\VPN.exe
"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
2⤵
- Executes dropped EXE
PID:2068

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1468

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2228 --field-trial-handle=2232,i,17933431355696618946,16572768662585834010,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7120

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2320 --field-trial-handle=2232,i,17933431355696618946,16572768662585834010,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6844

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2960 --field-trial-handle=2232,i,17933431355696618946,16572768662585834010,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6404

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3828 --field-trial-handle=2232,i,17933431355696618946,16572768662585834010,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6432

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2996 --field-trial-handle=2232,i,17933431355696618946,16572768662585834010,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8432

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4392

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7776

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Executes dropped EXE
PID:7176

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Executes dropped EXE
PID:8764

\??\c:\program files\reasonlabs\DNS\ui\DNS.exe
"c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
2⤵
- Executes dropped EXE
PID:8492

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
3⤵
- Checks computer location settings
- Suspicious use of SendNotifyMessage
PID:8500

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2608 --field-trial-handle=2612,i,16853209048348567988,15413652959634389369,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8980

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2664 --field-trial-handle=2612,i,16853209048348567988,15413652959634389369,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:9132

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3172 --field-trial-handle=2612,i,16853209048348567988,15413652959634389369,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:9156

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2892 --field-trial-handle=2612,i,16853209048348567988,15413652959634389369,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7452

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\nul
2⤵
PID:7512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\nul"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:8296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:7308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=711316DBD2B59C18CFDAB15E10FCDF37 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6D1C8AC89354368E41B9951F77F34AE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6D1C8AC89354368E41B9951F77F34AE7 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
4⤵
PID:7272

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94C560D8819D2A203AEBAA5C92DB25DF --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:8412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95BC436218108033F5590FE31B06044A --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:8740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=375C983B29A2E1755299BC0B2859C50D --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe"
1⤵
PID:8248

C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
2⤵
PID:6460

C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
MSAGENT.EXE
3⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
PID:7412

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
4⤵
- Modifies registry class
PID:8188

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
4⤵
- Modifies registry class
PID:5848

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
4⤵
PID:6136

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
4⤵
PID:4692

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
4⤵
PID:1100

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
4⤵
PID:1856

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
4⤵
PID:8732

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
4⤵
- Modifies registry class
PID:3100

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:8872

C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
tv_enua.exe
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:7016

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
4⤵
PID:7172

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
4⤵
PID:688

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
2⤵
PID:8348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0x40,0x124,0x7ff9ccac46f8,0x7ff9ccac4708,0x7ff9ccac4718
3⤵
PID:7240

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Modifies registry class
PID:3636

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
PID:3272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x4ec
1⤵
PID:8732

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
PID:4164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x4ec
1⤵
PID:6856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:6580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery