Analysis
-
max time kernel
1642s -
max time network
1643s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 18:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
Resource
win11-20240802-en
General
-
Target
https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
metasploit
windows/download_exec
http://149.129.72.37:23456/SNpK
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
CrimsonRAT main payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000100000002afcc-4377.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4476 4508 rundll32.exe 188 -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5584-4571-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 -
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000900000002ad24-5693.dat revengerat -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exewscript.exeflow pid Process 341 4476 rundll32.exe 1006 4868 wscript.exe 1007 4868 wscript.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
MSAGENT.EXEtv_enua.exeexplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components MSAGENT.EXE Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components tv_enua.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule behavioral1/files/0x001100000002a062-7938.dat office_macro_on_action -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2348 takeown.exe 1336 icacls.exe 2572 takeown.exe 3044 icacls.exe -
Drops startup file 2 IoCs
Processes:
RegSvcs.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe -
Executes dropped EXE 11 IoCs
Processes:
BonziBuddy432.exeMSAGENT.EXEtv_enua.exeAgentSvr.exeBonziBDY_4.EXEAgentSvr.exedlrarhsiva.exeGoogle Chrome.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exepid Process 3968 BonziBuddy432.exe 5060 MSAGENT.EXE 1888 tv_enua.exe 3564 AgentSvr.exe 3756 BonziBDY_4.EXE 3804 AgentSvr.exe 1508 dlrarhsiva.exe 2176 Google Chrome.exe 5160 butterflyondesktop.exe 4848 butterflyondesktop.tmp 1712 ButterflyOnDesktop.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
reg.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager reg.exe -
Loads dropped DLL 37 IoCs
Processes:
BonziBuddy432.exeMSAGENT.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exetv_enua.exeregsvr32.exeregsvr32.exeBonziBDY_4.EXEAgentSvr.exepid Process 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 3968 BonziBuddy432.exe 5060 MSAGENT.EXE 2988 regsvr32.exe 3772 regsvr32.exe 568 regsvr32.exe 1532 regsvr32.exe 2716 regsvr32.exe 1952 regsvr32.exe 2700 regsvr32.exe 1888 tv_enua.exe 4808 regsvr32.exe 4808 regsvr32.exe 1068 regsvr32.exe 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3804 AgentSvr.exe 3804 AgentSvr.exe 3804 AgentSvr.exe 3804 AgentSvr.exe 3804 AgentSvr.exe 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2348 takeown.exe 1336 icacls.exe 2572 takeown.exe 3044 icacls.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exetv_enua.exeNetWire.exeRegSvcs.exebutterflyondesktop.tmpdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" tv_enua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" NetWire.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\RevengeRAT.exe" RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 370 drive.google.com 458 0.tcp.ngrok.io 579 0.tcp.ngrok.io 801 0.tcp.ngrok.io 873 0.tcp.ngrok.io 876 drive.google.com 1039 drive.google.com 317 0.tcp.ngrok.io 317 drive.google.com 577 0.tcp.ngrok.io 667 0.tcp.ngrok.io 876 0.tcp.ngrok.io -
Drops file in System32 directory 3 IoCs
Processes:
tv_enua.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\SET7615.tmp tv_enua.exe File created C:\Windows\SysWOW64\SET7615.tmp tv_enua.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll tv_enua.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe -
Suspicious use of SetThreadContext 19 IoCs
Processes:
RevengeRAT.exeRegSvcs.exeNetWire.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exedescription pid Process procid_target PID 6236 set thread context of 6400 6236 RevengeRAT.exe 194 PID 6400 set thread context of 6448 6400 RegSvcs.exe 195 PID 5624 set thread context of 7084 5624 NetWire.exe 198 PID 5360 set thread context of 2644 5360 RevengeRAT.exe 305 PID 2644 set thread context of 3832 2644 RegSvcs.exe 306 PID 6800 set thread context of 6284 6800 RevengeRAT.exe 326 PID 6284 set thread context of 6940 6284 RegSvcs.exe 327 PID 6460 set thread context of 1408 6460 RevengeRAT.exe 351 PID 1408 set thread context of 6384 1408 RegSvcs.exe 352 PID 5128 set thread context of 5680 5128 RevengeRAT.exe 373 PID 5680 set thread context of 1352 5680 RegSvcs.exe 374 PID 3092 set thread context of 3856 3092 RevengeRAT.exe 390 PID 3856 set thread context of 5972 3856 RegSvcs.exe 391 PID 4132 set thread context of 5684 4132 RevengeRAT.exe 407 PID 5684 set thread context of 6740 5684 RegSvcs.exe 408 PID 4356 set thread context of 5172 4356 RevengeRAT.exe 413 PID 5172 set thread context of 6128 5172 RegSvcs.exe 414 PID 1020 set thread context of 2764 1020 RevengeRAT.exe 421 PID 2764 set thread context of 6544 2764 RegSvcs.exe 422 -
Drops file in Program Files directory 64 IoCs
Processes:
BonziBuddy432.exebutterflyondesktop.tmpBonziBDY_4.EXEdescription ioc Process File opened for modification C:\Program Files (x86)\BonziBuddy432\BBReader.EXE BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BonziCTB.dll BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page12.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\BonziBuddy432\Snd1.wav BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Apps.nbd BonziBDY_4.EXE File opened for modification C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\p001.nbd BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page8.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page16.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page11.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page16.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page1.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page1.jpg BonziBuddy432.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-94F9C.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb008.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page8.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page13.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page12.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page2.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\Thumbs.db BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\j3.nbd-SR BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb009.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\SSubTmr6.dll BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\RACREG32.DLL BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\book BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\msvcrt.dll BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Jigsaw.exe BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\MSINET.OCX BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\t3.nbd-SR BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Options\bonzibuddys.URL BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\MSAGENTS\Peedy.acs BonziBuddy432.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-K68OM.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\BonziBuddy432\Runtimes\Readme.txt BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page5.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page14.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BonziBUDDY_Killer.exe BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Reg.nbd BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page7.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page3.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\CHORD.WAV BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Options\registry.reg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\book BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page15.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Reg.nbd BonziBDY_4.EXE File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page13.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page15.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BG\Bg1.bmp BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp003.gif BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page10.jpg BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\favicon.ico BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\BG\Bg2.bmp BonziBuddy432.exe File opened for modification C:\Program Files (x86)\BonziBuddy432\Options\menu.bat BonziBuddy432.exe -
Drops file in Windows directory 58 IoCs
Processes:
MSAGENT.EXEtv_enua.exeBonziBuddy432.exechrome.exewscript.exedescription ioc Process File created C:\Windows\msagent\SET6849.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentSR.dll MSAGENT.EXE File created C:\Windows\msagent\SET6870.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgtCtl15.tlb MSAGENT.EXE File opened for modification C:\Windows\INF\SET7614.tmp tv_enua.exe File created C:\Windows\msagent\SET6835.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentDPv.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentAnm.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\intl\SET686F.tmp MSAGENT.EXE File created C:\Windows\lhsp\tv\SET7600.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\help\SET7612.tmp tv_enua.exe File opened for modification C:\Windows\msagent\SET6835.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6847.tmp MSAGENT.EXE File created C:\Windows\msagent\SET686B.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentPsh.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6848.tmp MSAGENT.EXE File created C:\Windows\msagent\SET684A.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\SET686C.tmp MSAGENT.EXE File opened for modification C:\Windows\help\Agt0409.hlp MSAGENT.EXE File created C:\Windows\fonts\SET7613.tmp tv_enua.exe File opened for modification C:\Windows\msagent\AgentDp2.dll MSAGENT.EXE File created C:\Windows\msagent\intl\SET686F.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6870.tmp MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\SET7600.tmp tv_enua.exe File opened for modification C:\Windows\msagent\chars\Bonzi.acs BonziBuddy432.exe File created C:\Windows\msagent\SET6846.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET686B.tmp MSAGENT.EXE File opened for modification C:\Windows\INF\agtinst.inf MSAGENT.EXE File opened for modification C:\Windows\help\SET686E.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\AgentMPx.dll MSAGENT.EXE File created C:\Windows\msagent\SET685A.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET686D.tmp MSAGENT.EXE File created C:\Windows\help\SET686E.tmp MSAGENT.EXE File created C:\Windows\msagent\SET6848.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET685A.tmp MSAGENT.EXE File created C:\Windows\msagent\SET6847.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\SET684A.tmp MSAGENT.EXE File opened for modification C:\Windows\msagent\intl\Agt0409.dll MSAGENT.EXE File created C:\Windows\INF\SET686C.tmp MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\tvenuax.dll tv_enua.exe File created C:\Windows\lhsp\help\SET7612.tmp tv_enua.exe File opened for modification C:\Windows\fonts\andmoipa.ttf tv_enua.exe File opened for modification C:\Windows\msagent\AgentSvr.exe MSAGENT.EXE File opened for modification C:\Windows\msagent\SET6849.tmp MSAGENT.EXE File created C:\Windows\msagent\SET686D.tmp MSAGENT.EXE File opened for modification C:\Windows\lhsp\tv\tv_enua.dll tv_enua.exe File opened for modification C:\Windows\INF\tv_enua.inf tv_enua.exe File opened for modification C:\Windows\msagent\chars\Peedy.acs BonziBuddy432.exe File opened for modification C:\Windows\lhsp\tv\SET7611.tmp tv_enua.exe File opened for modification C:\Windows\fonts\SET7613.tmp tv_enua.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\msagent\SET6846.tmp MSAGENT.EXE File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\msagent\AgentCtl.dll MSAGENT.EXE File opened for modification C:\Windows\msagent\mslwvtts.dll MSAGENT.EXE File created C:\Windows\lhsp\tv\SET7611.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp tv_enua.exe File created C:\Windows\INF\SET7614.tmp tv_enua.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
msedge.exemsedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\BonziBuddy432.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exevbc.exeRegSvcs.exeGooseDesktop.exeRegSvcs.exeregsvr32.execvtres.exevbc.execvtres.exevbc.execvtres.execvtres.exegrpconv.execvtres.exeRegSvcs.exevbc.exeRegSvcs.exeRegSvcs.exevbc.execvtres.exeAgentSvr.exeNetWire.exevbc.execvtres.exevbc.exevbc.exeRegSvcs.exeRegSvcs.execvtres.execvtres.exevbc.exeRegSvcs.exeCrazyNCS.execvtres.exeregsvr32.exeregsvr32.exeBonziBuddy432.exeAgentSvr.exebutterflyondesktop.exetv_enua.exevbc.exeRegSvcs.exeAlerta.execvtres.exevbc.execvtres.execvtres.execvtres.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeButterflyOnDesktop.exeregsvr32.execvtres.exevbc.exevbc.exeregsvr32.exeNetWire.execvtres.exebutterflyondesktop.tmpregsvr32.exeRegSvcs.exeregsvr32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GooseDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CrazyNCS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BonziBuddy432.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tv_enua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alerta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXERegSvcs.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exeWINWORD.EXEchrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4300 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop wscript.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430253725" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{061E4B39-58DC-11EF-8F5D-DA36AC4DAD27} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Recovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31124794" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "786784701" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133679627544478757" chrome.exe -
Modifies registry class 64 IoCs
Processes:
BonziBDY_4.EXEBonziBuddy432.exeAgentSvr.exeregsvr32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}\ProgID\ = "BonziBUDDY.CPeriod" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D31-2CDD-11D3-9DD0-D3CD4078982A} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Version\ = "2.0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}\InprocServer32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F55ED2E0-6E13-11CE-918C-0000C0554C0A}\TypeLib\Version = "1.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A45DB4D-BD0D-11D2-8D14-00104B9E072A}\TypeLib\Version = "2.0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}" BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer\ = "MSComctlLib.ProgCtrl.2" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\ToolboxBitmap32 BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE0-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8671A8B-E5DD-11CD-836C-0000C0C14E92}\1.0\HELPDIR\ BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED86423-10D4-4CE1-8C84-9C9EC1B43364}\LocalServer32 BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5A31F2F-122F-4615-A9B7-90841538EC7C}\VERSION BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DECC98E1-EC4E-11D2-93E5-00104B9E078A} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComFilters\CLSID BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{972DE6B5-8B09-11D2-B652-A1FD6CC34260}\1.0 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D42-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib BonziBuddy432.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CurVer BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}\ProxyStubClsid32 BonziBDY_4.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\Programmable BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D4B-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDE-1BF9-11D2-BAE8-00104B9E0792} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Printable BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\TypeLib\Version = "3.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74179610-5A56-11CE-940F-0000C0C14E92}\TypeLib\Version = "1.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus\1 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\TypeLib\Version = "1.0" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D44-2CDD-11D3-9DD0-D3CD4078982A}\ProgID BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer\ = "MSComctlLib.ImageComboCtl.2" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07D0E280-EF44-11CD-836C-0000C0C14E92}\ = "ISSMonth" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED86423-10D4-4CE1-8C84-9C9EC1B43364}\LocalServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\BonziBDY_4.EXE" BonziBDY_4.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83C2D7A0-0DE6-11D3-9DCF-9423F1B2561C}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{322982E1-0855-11D3-9DCF-DDFB3AB09E18}\InprocServer32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} BonziBuddy432.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDA1CA04-8B5D-11D0-9BC0-0000C0F04C96}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D49-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" BonziBuddy432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" BonziBuddy432.exe -
NTFS ADS 11 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exeRegSvcs.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 54181.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Desktop Goose v0.31.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Desktop Goose for Mac v0.22.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\virus-stuff-main.zip:Zone.Identifier msedge.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\OIP.jpg:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 596752.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\BonziBuddy432.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 4508 WINWORD.EXE 4508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exechrome.exemsedge.exemsedge.exemsedge.exepid Process 1044 msedge.exe 1044 msedge.exe 5108 msedge.exe 5108 msedge.exe 3040 msedge.exe 2972 msedge.exe 2972 msedge.exe 4712 identity_helper.exe 4712 identity_helper.exe 2072 msedge.exe 2072 msedge.exe 2072 msedge.exe 2072 msedge.exe 2212 msedge.exe 2212 msedge.exe 3040 msedge.exe 3040 msedge.exe 3124 msedge.exe 3124 msedge.exe 3868 msedge.exe 3868 msedge.exe 3292 msedge.exe 3292 msedge.exe 4780 msedge.exe 4780 msedge.exe 6868 chrome.exe 6868 chrome.exe 5012 msedge.exe 5012 msedge.exe 6384 msedge.exe 6384 msedge.exe 5132 msedge.exe 5132 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid Process 6400 RegSvcs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
msedge.exechrome.exepid Process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 6868 chrome.exe 6868 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AgentSvr.exeAUDIODG.EXERevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exechrome.exedescription pid Process Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 660 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 660 AUDIODG.EXE Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: SeDebugPrivilege 6236 RevengeRAT.exe Token: SeDebugPrivilege 6400 RegSvcs.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: SeDebugPrivilege 5360 RevengeRAT.exe Token: SeDebugPrivilege 2644 RegSvcs.exe Token: 33 3804 AgentSvr.exe Token: SeIncBasePriorityPrivilege 3804 AgentSvr.exe Token: SeDebugPrivilege 6800 RevengeRAT.exe Token: SeDebugPrivilege 6284 RegSvcs.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe Token: SeShutdownPrivilege 6868 chrome.exe Token: SeCreatePagefilePrivilege 6868 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe -
Suspicious use of SendNotifyMessage 43 IoCs
Processes:
msedge.exeAgentSvr.exechrome.exeButterflyOnDesktop.exeexplorer.exepid Process 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 3804 AgentSvr.exe 3804 AgentSvr.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 6868 chrome.exe 1712 ButterflyOnDesktop.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe 6040 explorer.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
msedge.exeBonziBuddy432.exeMSAGENT.EXEtv_enua.exeAgentSvr.exeBonziBDY_4.EXEiexplore.exeIEXPLORE.EXEWINWORD.EXEpid Process 3868 msedge.exe 3968 BonziBuddy432.exe 5060 MSAGENT.EXE 1888 tv_enua.exe 3564 AgentSvr.exe 3756 BonziBDY_4.EXE 3756 BonziBDY_4.EXE 248 iexplore.exe 248 iexplore.exe 664 IEXPLORE.EXE 664 IEXPLORE.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 3756 BonziBDY_4.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 5108 wrote to memory of 2664 5108 msedge.exe 82 PID 5108 wrote to memory of 2664 5108 msedge.exe 82 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1340 5108 msedge.exe 83 PID 5108 wrote to memory of 1044 5108 msedge.exe 84 PID 5108 wrote to memory of 1044 5108 msedge.exe 84 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 PID 5108 wrote to memory of 4504 5108 msedge.exe 85 -
System policy modification 1 TTPs 22 IoCs
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=115081⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcef7a3cb8,0x7ffcef7a3cc8,0x7ffcef7a3cd82⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4832 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:82⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4908 /prefetch:82⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:12⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:12⤵PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:12⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:12⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:12⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2872 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:12⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:12⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:12⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8468 /prefetch:12⤵PID:6660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8772 /prefetch:12⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:12⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:12⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8912 /prefetch:12⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:12⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:12⤵PID:960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:12⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:12⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9180 /prefetch:82⤵PID:6904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:12⤵PID:6280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9168 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:12⤵PID:6408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:12⤵PID:6804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:12⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8816 /prefetch:12⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8596 /prefetch:12⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8432 /prefetch:12⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7784 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8596 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6384
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\is-HTVE8.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-HTVE8.tmp\butterflyondesktop.tmp" /SL5="$100346,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html4⤵PID:1404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcef7a3cb8,0x7ffcef7a3cc8,0x7ffcef7a3cd85⤵PID:5204
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7408 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17590745922840042859,12906451133020210105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:7164
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:804
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2172
-
C:\Users\Admin\Downloads\BonziBuddy432.exe"C:\Users\Admin\Downloads\BonziBuddy432.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "2⤵PID:2016
-
C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXEMSAGENT.EXE3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵
- Loads dropped DLL
PID:3772
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:568
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵
- Loads dropped DLL
PID:2700
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:2208
-
-
-
C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exetv_enua.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
- System Location Discovery: System Language Discovery
PID:808
-
-
-
-
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3756
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3804
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
PID:660
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:3908
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:248 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:248 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:664
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4684
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:1712
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4508 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4476
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵PID:7084
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:6448
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luox8rty.cmdline"3⤵PID:6136
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6F297687D434C328CA0E3D93A41DBED.TMP"4⤵PID:5272
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hmhnf0n.cmdline"3⤵PID:5440
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA258.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CFB52764E6496E8D90B5E2315DC48D.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkwp9bbz.cmdline"3⤵PID:3644
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C93EAF0825E4678BAB147151B6F96.TMP"4⤵PID:5936
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jledkbw3.cmdline"3⤵PID:6116
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA342.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24E937261D7B48DF8FA8D9B596251FE7.TMP"4⤵PID:5392
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtonr4w0.cmdline"3⤵PID:3060
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B8E4E5CBAAF43338C7B9D36E4991DF.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5852
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3hgst_py.cmdline"3⤵PID:6072
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5531983B4FA4490B17D5939E6793D6.TMP"4⤵PID:580
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\61kv8t87.cmdline"3⤵PID:5724
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA48A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AF80B61236B4B4EA6E1B0F8A9AD5DC9.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5268
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j8tikjq8.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9476357FAC0F439CA87D4D815A5F3976.TMP"4⤵PID:5340
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv7ivwdm.cmdline"3⤵PID:540
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACA985B1B49741758797B629BD41B57C.TMP"4⤵PID:240
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qmuigb9k.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6192 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BB3E62FA58844E49081196F9DC4A86.TMP"4⤵PID:6384
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gyalgums.cmdline"3⤵PID:6504
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA620.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2E914CAE04C47038035DD7F9DF2DBE.TMP"4⤵PID:6708
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nyzsdwep.cmdline"3⤵PID:6900
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA69D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21D6A420FC074AA786D4772713F463E.TMP"4⤵PID:7044
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3-6ug0z.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE63EBDB578424D93BD6896BD9BE96ABA.TMP"4⤵PID:6524
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52gqpwfa.cmdline"3⤵PID:6692
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA65013AC3C0E4218A1C360C8D4C523D6.TMP"4⤵PID:7088
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xzedvqp.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB527101B51BD4ECCAA728C5AB11FA9DA.TMP"4⤵PID:6268
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aaeot_4i.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA814.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9222EFEF953A41CF9CBB7B7FC86899EE.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6224
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7thx4gys.cmdline"3⤵PID:4000
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA891.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C79FE2A2BE149C9BDD63B6B5B91211A.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5608
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fw3uo2x.cmdline"3⤵PID:6368
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D015432D8194F4895D2DEABA4DCCF38.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ula5pjr9.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA94D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBFD1BAA905E42CD887734E4BEDD96C.TMP"4⤵PID:5416
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\18tlzira.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEB8DD038B604F738C3CBCB4416BCC8A.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5968
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4fppcwzk.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67241FE98AFE4CF4A8824E6E422E29A.TMP"4⤵PID:6136
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5864
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8kyqf0yz.cmdline"3⤵PID:5376
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A96212B2C5B41AB92E568C28211C62F.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3932
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\truhzy6v.cmdline"3⤵PID:5964
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63686A83970C472497977818E8FBDEB2.TMP"4⤵PID:6120
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kgs4lr96.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2308C5A18B3644F787E6B82EA1FC232D.TMP"4⤵PID:3928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2gtrx-mb.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120E1C3736942FFB164659040AF19EC.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5820
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8idi2mye.cmdline"3⤵PID:888
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8BB65F87F83444C9B69CA3859676E0.TMP"4⤵PID:3724
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\31z1fej2.cmdline"3⤵PID:5400
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA508CE63B34947008CC2E520761632D4.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5748
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfs2-dro.cmdline"3⤵PID:6372
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9C30928514248009E8F04441D567BD.TMP"4⤵PID:6276
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssinpbsa.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6684 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF395.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0B009E6BC93495FBBFAEE235FB11E78.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6540
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b5atz7m0.cmdline"3⤵PID:7008
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF412.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA4D21F596AE453CB58E23A07A23DB6.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6948
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rw9jd-cq.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9ED85058507B4508AA34F72A285AA92F.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylu0ysmo.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4F8040F1C44DDA865D1AC25A504E64.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6848
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkjeyfvv.cmdline"3⤵PID:6304
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF569.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DAE5EAB92DE473D91BE643B3FC7319E.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1756
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ro0cdd_.cmdline"3⤵PID:6752
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77AAA3CEFE654479A171A189A114F9B.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:6532
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anmkfmaf.cmdline"3⤵PID:4800
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59BE4C8EAEA94BBA9F3DF9C2FA1CB42C.TMP"4⤵PID:4788
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anjlteqe.cmdline"3⤵PID:5100
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5078.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11B5F07DBB342F8968497AA2D99FB5C.TMP"4⤵PID:5208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ptfjhbv.cmdline"3⤵PID:6908
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73C83E5FE8694DA69CC16C95FD9B68C7.TMP"4⤵PID:5124
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qb79zxl2.cmdline"3⤵PID:812
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES527B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68627253A6040D7A9C2897742313A33.TMP"4⤵PID:1744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q2i8grye.cmdline"3⤵PID:4924
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5385.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55C81334751A4EBFA320B1E84C4AB6D1.TMP"4⤵PID:6928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g8woulq9.cmdline"3⤵PID:1068
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3784D66065AB43C19FFA304F7B6E896E.TMP"4⤵PID:804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nimfw9i0.cmdline"3⤵PID:5384
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF4CF84430FF4505926B49EC8EC1D495.TMP"4⤵PID:2476
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\htv95y0i.cmdline"3⤵PID:4016
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5896.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67ECD21B6D5C403EA68A5019F14ACFF.TMP"4⤵PID:460
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5cgxxfm.cmdline"3⤵PID:5316
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5932.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA90FF1A81C1E4445B64CE817DB287A35.TMP"4⤵PID:4632
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ju1giph-.cmdline"3⤵PID:6836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF0F229F8084933B2F9EFA26B6C68B.TMP"4⤵PID:4060
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzwwhso3.cmdline"3⤵PID:6972
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc342BA04413774439AA1034DB6561D410.TMP"4⤵PID:4376
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yqxl-zki.cmdline"3⤵PID:5720
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6D2642A927A4149976AA87FF227107B.TMP"4⤵PID:6164
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5rgguilt.cmdline"3⤵PID:2572
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C88E6EE910424296E9D18459AC10E8.TMP"4⤵PID:5244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qbotejk.cmdline"3⤵PID:6996
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C4F02D45BE54D90B467582D68D8C1CC.TMP"4⤵PID:4692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t2zd1vwu.cmdline"3⤵PID:3524
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6364.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F8E8CEF23444C268A35D86E1B80768.TMP"4⤵PID:5996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2g0msntr.cmdline"3⤵PID:5208
-
-