wannacry | hxxps://archive[.]org/details/malware-pack-2

Processes:

tv_enua.exeMSAGENT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

MEMZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe"	MEMZ.exe

Drops startup file 2 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2D26.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2D2D.tmp	[email protected]

Executes dropped EXE 64 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetree.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeInstaller.exeMSAGENT.EXEtv_enua.exe

pid	process
2004	taskdl.exe
1008	@[email protected]
4376	@[email protected]
4248	taskhsvc.exe
3484	taskdl.exe
3740	taskse.exe
3600	@[email protected]
5108	taskdl.exe
1652	taskse.exe
3576	@[email protected]
2352	taskse.exe
1552	@[email protected]
3116	taskdl.exe
1648	taskse.exe
4580	@[email protected]
4668	taskdl.exe
3972	@[email protected]
2024	taskse.exe
4392	taskdl.exe
656	MEMZ.exe
2404	MEMZ.exe
1520	MEMZ.exe
2344	MEMZ.exe
3584	MEMZ.exe
4448	taskse.exe
4852	@[email protected]
3800	taskdl.exe
2904	taskse.exe
4648	@[email protected]
4684	taskdl.exe
5216	taskse.exe
5224	@[email protected]
5248	taskdl.exe
3828	taskse.exe
2044	@[email protected]
5148	taskdl.exe
5392	taskse.exe
5400	@[email protected]
5848	taskdl.exe
5532	taskse.exe
3968	@[email protected]
1036	taskdl.exe
6048	tree.exe
6032	taskse.exe
5148	@[email protected]
5844	taskdl.exe
7016	taskse.exe
7020	@[email protected]
7048	taskdl.exe
6468	taskse.exe
6212	@[email protected]
1316	taskdl.exe
344	taskse.exe
6680	@[email protected]
3052	taskdl.exe
6196	taskse.exe
3144	@[email protected]
6064	taskdl.exe
5616	taskse.exe
6992	@[email protected]
7140	taskdl.exe
7512	Installer.exe
4236	MSAGENT.EXE
6820	tv_enua.exe

Loads dropped DLL 41 IoCs

Processes:

taskhsvc.exeInstaller.exeMSAGENT.EXEtv_enua.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeBonziBDY_35.EXEAgentSvr.exe

pid	process
4248	taskhsvc.exe
4248	taskhsvc.exe
4248	taskhsvc.exe
4248	taskhsvc.exe
4248	taskhsvc.exe
4248	taskhsvc.exe
4248	taskhsvc.exe
7512	Installer.exe
7512	Installer.exe
4236	MSAGENT.EXE
6820	tv_enua.exe
7164	regsvr32.exe
4980	regsvr32.exe
5780	regsvr32.exe
5780	regsvr32.exe
3512	regsvr32.exe
6076	regsvr32.exe
7776	regsvr32.exe
5516	regsvr32.exe
7228	regsvr32.exe
7988	regsvr32.exe
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
4864	AgentSvr.exe
4864	AgentSvr.exe
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
4864	AgentSvr.exe
4864	AgentSvr.exe
4864	AgentSvr.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

224 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
224	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

reg.exetree.exetv_enua.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lknmewvzsp534 = "\"C:\\Users\\Admin\\Downloads\\Malware_pack_2\\Malware_pack_2\\WannaCrypt0r\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopXmasTree = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\tree.exe"	tree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

Processes:

Installer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Installer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Installer.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 3 IoCs

Processes:

tv_enua.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SET2AEE.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET2AEE.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

[email protected]@[email protected]MEMZ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\Pussy.png"	MEMZ.exe

Drops file in Windows directory 55 IoCs

Processes:

tv_enua.exeMSAGENT.EXEInstaller.exe

description	ioc	process
File opened for modification	C:\Windows\fonts\SET2AAD.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET29F2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F8.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET2A9B.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\SET2A9C.tmp	tv_enua.exe
File created	C:\Windows\fonts\SET2AAD.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET29F0.tmp	MSAGENT.EXE
File created	C:\Windows\help\SET29F9.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F6.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET29F7.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET29F5.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET29F6.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET29F8.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET2A0B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET2AED.tmp	tv_enua.exe
File created	C:\Windows\INF\SET2AED.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File created	C:\Windows\msagent\SET29F0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET2A9C.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET29DF.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET29FA.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET29F3.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F2.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET29F7.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File created	C:\Windows\MsAgent\chars\Bonzi.acs	Installer.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F5.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET29F9.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\help\SET2AAC.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET29F1.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET2A0B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET2A9B.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET29F4.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET29FA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\msagent\SET29DF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\SET2AAC.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET29F3.tmp	MSAGENT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Recovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31117273"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3353859568"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1955345-3BC2-11EF-B03F-D69AC9ECD474} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

BonziBDY_35.EXEregsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B976287-3692-11D0-9B8A-0000C0F04C96}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F95-055F-11D4-8F9B-00104BA312D6}\ProxyStubClsid32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DECC98E1-EC4E-11D2-93E5-00104B9E078A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ = "C:\\Windows\\lhsp\\tv\\tvenuax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD3-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{1D06B600-3AE3-11CF-87B9-00AA006C8166}	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSFrame.3\CLSID	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD4-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ = "_CCalendarVBPeriod"	BonziBDY_35.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A45DB48-BD0D-11D2-8D14-00104B9E072A}\2.0\FLAGS	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ = "CCalendarVBPeriod"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID\ = "{DD9DA666-8594-11D1-B16A-00C0F0283628}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\MiscStatus\1	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\MiscStatus\ = "0"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\ProgID\ = "Threed.SSPanel.3"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\ = "Microsoft ImageList Control, version 6.0"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A031FBF6-81A7-4440-9E20-51ABB2289E4B}\VERSION	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	BonziBDY_35.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5}\TypeLib	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\ProxyStubClsid32	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDE-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DECC98E1-EC4E-11D2-93E5-00104B9E078A}\ = "ISSImage"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}\ProgID	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F}\1.1	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD5-1BF9-11D2-BAE8-00104B9E0792}\ = "ISSFrameBase"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\Programmable	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{916694A9-8AD6-11D2-B6FD-0060976C699F}\TypeLib\ = "{6B1BE80A-567F-11D1-B652-0060976C699F}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\ToolboxBitmap32	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A45DB4E-BD0D-11D2-8D14-00104B9E072A}\TypeLib\Version = "2.0"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ = "IListSubItem"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ProgID	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LWVFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{916694A8-8AD6-11D2-B6FD-0060976C699F}\TypeLib	BonziBDY_35.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2056 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Malware_pack_2.zip:Zone.Identifier msedge.exe

pid	process
2056	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Malware_pack_2.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exemsedge.exe

pid	process
4248	msedge.exe
4248	msedge.exe
1492	msedge.exe
1492	msedge.exe
1864	msedge.exe
1864	msedge.exe
2344	identity_helper.exe
2344	identity_helper.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeMEMZ.exeBonziBDY_35.EXE

pid process

3888 taskmgr.exe
3584 MEMZ.exe
6824 BonziBDY_35.EXE

pid	process
3888	taskmgr.exe
3584	MEMZ.exe
6824	BonziBDY_35.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exeAUDIODG.EXEtaskse.exe

description	pid	process
Token: SeDebugPrivilege	3888	taskmgr.exe
Token: SeSystemProfilePrivilege	3888	taskmgr.exe
Token: SeCreateGlobalPrivilege	3888	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	4000	WMIC.exe
Token: SeSecurityPrivilege	4000	WMIC.exe
Token: SeTakeOwnershipPrivilege	4000	WMIC.exe
Token: SeLoadDriverPrivilege	4000	WMIC.exe
Token: SeSystemProfilePrivilege	4000	WMIC.exe
Token: SeSystemtimePrivilege	4000	WMIC.exe
Token: SeProfSingleProcessPrivilege	4000	WMIC.exe
Token: SeIncBasePriorityPrivilege	4000	WMIC.exe
Token: SeCreatePagefilePrivilege	4000	WMIC.exe
Token: SeBackupPrivilege	4000	WMIC.exe
Token: SeRestorePrivilege	4000	WMIC.exe
Token: SeShutdownPrivilege	4000	WMIC.exe
Token: SeDebugPrivilege	4000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4000	WMIC.exe
Token: SeRemoteShutdownPrivilege	4000	WMIC.exe
Token: SeUndockPrivilege	4000	WMIC.exe
Token: SeManageVolumePrivilege	4000	WMIC.exe
Token: 33	4000	WMIC.exe
Token: 34	4000	WMIC.exe
Token: 35	4000	WMIC.exe
Token: 36	4000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4000	WMIC.exe
Token: SeSecurityPrivilege	4000	WMIC.exe
Token: SeTakeOwnershipPrivilege	4000	WMIC.exe
Token: SeLoadDriverPrivilege	4000	WMIC.exe
Token: SeSystemProfilePrivilege	4000	WMIC.exe
Token: SeSystemtimePrivilege	4000	WMIC.exe
Token: SeProfSingleProcessPrivilege	4000	WMIC.exe
Token: SeIncBasePriorityPrivilege	4000	WMIC.exe
Token: SeCreatePagefilePrivilege	4000	WMIC.exe
Token: SeBackupPrivilege	4000	WMIC.exe
Token: SeRestorePrivilege	4000	WMIC.exe
Token: SeShutdownPrivilege	4000	WMIC.exe
Token: SeDebugPrivilege	4000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4000	WMIC.exe
Token: SeRemoteShutdownPrivilege	4000	WMIC.exe
Token: SeUndockPrivilege	4000	WMIC.exe
Token: SeManageVolumePrivilege	4000	WMIC.exe
Token: 33	4000	WMIC.exe
Token: 34	4000	WMIC.exe
Token: 35	4000	WMIC.exe
Token: 36	4000	WMIC.exe
Token: SeBackupPrivilege	1664	vssvc.exe
Token: SeRestorePrivilege	1664	vssvc.exe
Token: SeAuditPrivilege	1664	vssvc.exe
Token: SeTcbPrivilege	3740	taskse.exe
Token: SeTcbPrivilege	3740	taskse.exe
Token: SeTcbPrivilege	1652	taskse.exe
Token: SeTcbPrivilege	1652	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	1648	taskse.exe
Token: SeTcbPrivilege	1648	taskse.exe
Token: SeTcbPrivilege	2024	taskse.exe
Token: SeTcbPrivilege	2024	taskse.exe
Token: SeTcbPrivilege	4448	taskse.exe
Token: SeTcbPrivilege	4448	taskse.exe
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: SeTcbPrivilege	2904	taskse.exe
Token: SeTcbPrivilege	2904	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

pid	process
1008	@[email protected]
4376	@[email protected]
1008	@[email protected]
4376	@[email protected]
3600	@[email protected]
3600	@[email protected]
3576	@[email protected]
1552	@[email protected]
4580	@[email protected]
3972	@[email protected]
3348	VineMEMZ-Original.exe
656	MEMZ.exe
2404	MEMZ.exe
3584	MEMZ.exe
2344	MEMZ.exe
1520	MEMZ.exe
4852	@[email protected]
1160	VineMEMZ-Original.exe
4648	@[email protected]
3144	identity_helper.exe
5224	@[email protected]
2044	@[email protected]
5400	@[email protected]
3968	@[email protected]
6048	tree.exe
5148	@[email protected]
7020	@[email protected]
6212	@[email protected]
6680	@[email protected]
3144	@[email protected]
6992	@[email protected]
7512	Installer.exe
7340	@[email protected]
7240	@[email protected]
3584	MEMZ.exe
3584	MEMZ.exe
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
6824	BonziBDY_35.EXE
4864	AgentSvr.exe
7836	@[email protected]
7904	@[email protected]
4552	@[email protected]
404	ielowutil.exe
3840	iexplore.exe
3840	iexplore.exe
3840	iexplore.exe
6032	IEXPLORE.EXE
6032	IEXPLORE.EXE
6032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1492 wrote to memory of 984	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 984	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1664	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4248	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 4248	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe
PID 1492 wrote to memory of 1604	1492	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4268 attrib.exe
3616 attrib.exe

pid	process
4268	attrib.exe
3616	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://archive.org/details/malware-pack-2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
2⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3780 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
2⤵
- NTFS ADS
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,14129984715017937412,11018984055383773752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1668

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\[email protected]
"C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4692

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4268

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:224

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 90211720288678.bat
2⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:1568

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3616

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1848

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4580

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
4⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
4⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
4⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
4⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,14417055205314558585,13687258338809242749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
4⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lknmewvzsp534" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\tasksche.exe\"" /f
2⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lknmewvzsp534" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2056

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4668

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:5216

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5248

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5148

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:5392

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5848

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:5532

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:6032

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:7016

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7020

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7048

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:6468

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6212

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6680

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:6196

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6064

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
- Executes dropped EXE
PID:5616

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6992

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7140

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:7860

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:7340

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:1852

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:7228

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:7240

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:8084

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:4132

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:7836

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:1856

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:7896

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:7904

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:436

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:4708

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:1360

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
2⤵
PID:1464

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]
@[email protected]
2⤵
PID:2632

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
PID:4640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe
"C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:656

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/main
3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=pussy+destroyer
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
5⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
5⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
5⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
5⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
5⤵
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
5⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
5⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
5⤵
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
5⤵
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
5⤵
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
5⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
5⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
5⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
5⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
5⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
5⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
5⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
5⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
5⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
5⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
5⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
5⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
5⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
5⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
5⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
5⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
5⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
5⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6568 /prefetch:8
5⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7896 /prefetch:2
5⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
5⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
5⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
5⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7592 /prefetch:8
5⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
5⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
5⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
5⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
5⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8220 /prefetch:1
5⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
5⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
5⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
5⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
5⤵
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8432 /prefetch:1
5⤵
PID:7148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
5⤵
PID:6212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8688 /prefetch:1
5⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
5⤵
PID:6448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:1
5⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9096 /prefetch:1
5⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9448 /prefetch:1
5⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
5⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9288 /prefetch:1
5⤵
PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9836 /prefetch:1
5⤵
PID:6484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9880 /prefetch:1
5⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
5⤵
PID:7152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9332 /prefetch:1
5⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8824 /prefetch:1
5⤵
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10136 /prefetch:1
5⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9700 /prefetch:1
5⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10316 /prefetch:1
5⤵
PID:7660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10464 /prefetch:1
5⤵
PID:7376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10448 /prefetch:1
5⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10504 /prefetch:1
5⤵
PID:8020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15608495741682676651,16114236704094877427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9488 /prefetch:1
5⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
4⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
4⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=animated+christmas+tree+for+desktop
4⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=cat+desktop
4⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=how+to+get+cursormania+in+2016
4⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=mp3+midi+converter
4⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=grand+dad+rom+download
4⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xc0,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=fuck+bees
4⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/results?search_query=tootorals
4⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5380

C:\Users\Admin\AppData\Roaming\Data\tree.exe
"C:\Users\Admin\AppData\Roaming\Data\tree.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=smash+mouth+all+star+midi
4⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=cool+toolbars
4⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
4⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=limp+bizkit+mp3+download
4⤵
PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=stanky+danky+maymays
4⤵
PID:6724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=succ
4⤵
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:7080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=expand+dong
4⤵
PID:6684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=john+cena+midi+legit+not+converted
4⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=cortana+is+the+new+bonzi
4⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=myfelix+download
4⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=free+midi+download
4⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=preventon+antivirus+download
4⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=snow+halation+midi
4⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:6672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=smileystoolbar+download
4⤵
PID:7508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:7520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=bad+ass+mafia+toolbar
4⤵
PID:7324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+bonzi+buddy+a+virus
4⤵
PID:7948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffa16843cb8,0x7ffa16843cc8,0x7ffa16843cd8
5⤵
PID:7936

C:\Users\Admin\AppData\Roaming\Data\Installer.exe
"C:\Users\Admin\AppData\Roaming\Data\Installer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:7512

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bonzi\run.vbs" //e:vbscript //B //NOLOGO
5⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\Runtimes\MSAGENT.EXE
"C:\Users\Admin\AppData\Local\Temp\Runtimes\MSAGENT.EXE" /Q
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4236

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
7⤵
- Loads dropped DLL
- Modifies registry class
PID:7164

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
7⤵
- Loads dropped DLL
PID:4980

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
7⤵
- Loads dropped DLL
- Modifies registry class
PID:3512

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
7⤵
- Loads dropped DLL
PID:7776

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
7⤵
- Loads dropped DLL
PID:5516

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
7⤵
- Loads dropped DLL
PID:7228

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
7⤵
- Loads dropped DLL
PID:7988

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
7⤵
- Modifies registry class
PID:7260

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
7⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\Runtimes\tv_enua.exe
"C:\Users\Admin\AppData\Local\Temp\Runtimes\tv_enua.exe" /Q
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:6820

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
7⤵
- Loads dropped DLL
PID:5780

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
7⤵
- Loads dropped DLL
- Modifies registry class
PID:6076

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
7⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\BonziBDY_35.EXE
"C:\Users\Admin\AppData\Local\Temp\BonziBDY_35.EXE"
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6824

C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe
"C:\Users\Admin\Downloads\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6056

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:82948 /prefetch:2
2⤵
PID:4288

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17414 /prefetch:2
2⤵
PID:8076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:82952 /prefetch:2
2⤵
PID:5076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17420 /prefetch:2
2⤵
PID:7720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:82960 /prefetch:2
2⤵
PID:6320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17428 /prefetch:2
2⤵
PID:5220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery