metastealer | 2634e98693c22d899a46c988e808478b0d5858072f713bbd6a22767b33b0ffd4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\sihost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\System.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\System.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\System.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\My Documents\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\System.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\My Documents\\RuntimeBroker.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\", \"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Contacts\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	injection.exe

Process spawned unexpected child process 56 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2764	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2764	schtasks.exe	80

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
4516	RuntimeBroker.exe
4456	spoolsv.exe
860	fontdrvhost.exe
1404	winlogon.exe
4572	OfficeClickToRun.exe
3672	Registry.exe
3832	ChromeRecovery.exe
1376	GoogleUpdateSetup.exe
3468	GoogleUpdate.exe
1236	GoogleUpdate.exe
8896	GoogleUpdate.exe
4484	GoogleUpdateComRegisterShell64.exe
1984	GoogleUpdateComRegisterShell64.exe
9064	GoogleUpdateComRegisterShell64.exe
2376	GoogleUpdate.exe
12544	GoogleUpdate.exe
3596	sihost.exe
3672	GoogleUpdate.exe
5632	GoogleCrashHandler.exe
5648	GoogleCrashHandler64.exe
5600	GoogleUpdateSetup.exe
5748	GoogleUpdate.exe
5888	GoogleUpdate.exe
5988	GoogleUpdate.exe
5256	GoogleUpdate.exe
5468	GoogleUpdateComRegisterShell64.exe
5660	GoogleUpdateComRegisterShell64.exe
6068	GoogleUpdateComRegisterShell64.exe
12972	GoogleUpdate.exe
6236	Registry.exe
6312	lsass.exe
3832	spoolsv.exe
11252	upfc.exe
12312	fontdrvhost.exe
9424	winlogon.exe
8620	OfficeClickToRun.exe
10588	System.exe
10800	RuntimeBroker.exe
11584	GoogleUpdate.exe
11636	GoogleUpdate.exe
11788	GoogleUpdate.exe
11812	GoogleCrashHandler.exe
5536	GoogleCrashHandler64.exe
13272	GoogleUpdate.exe
5732	Registry.exe
12544	GoogleUpdate.exe
6028	spoolsv.exe
3808	100.0.4896.88_chrome_installer.exe
5248	setup.exe
12468	setup.exe
12604	GoogleCrashHandler.exe
12616	GoogleCrashHandler64.exe
12632	GoogleUpdate.exe
12816	sihost.exe
7324	fontdrvhost.exe
13168	Registry.exe
7532	winlogon.exe
8012	lsass.exe
7696	OfficeClickToRun.exe
8232	spoolsv.exe
4372	Registry.exe
8944	upfc.exe
9648	fontdrvhost.exe
9752	winlogon.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	injection.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Loads dropped DLL 33 IoCs

pid	Process
3468	GoogleUpdate.exe
1236	GoogleUpdate.exe
8896	GoogleUpdate.exe
4484	GoogleUpdateComRegisterShell64.exe
8896	GoogleUpdate.exe
1984	GoogleUpdateComRegisterShell64.exe
8896	GoogleUpdate.exe
9064	GoogleUpdateComRegisterShell64.exe
8896	GoogleUpdate.exe
2376	GoogleUpdate.exe
12544	GoogleUpdate.exe
3672	GoogleUpdate.exe
3672	GoogleUpdate.exe
12544	GoogleUpdate.exe
5748	GoogleUpdate.exe
5888	GoogleUpdate.exe
5988	GoogleUpdate.exe
5256	GoogleUpdate.exe
5468	GoogleUpdateComRegisterShell64.exe
5256	GoogleUpdate.exe
5660	GoogleUpdateComRegisterShell64.exe
5256	GoogleUpdate.exe
6068	GoogleUpdateComRegisterShell64.exe
5256	GoogleUpdate.exe
12972	GoogleUpdate.exe
11584	GoogleUpdate.exe
11636	GoogleUpdate.exe
11788	GoogleUpdate.exe
13272	GoogleUpdate.exe
12544	GoogleUpdate.exe
12544	GoogleUpdate.exe
11636	GoogleUpdate.exe
12632	GoogleUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\System.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\odt\\winlogon.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\ProgramData\\ssh\\sihost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Admin\\Links\\OfficeClickToRun.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\ProgramData\\Microsoft\\AppV\\Setup\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\My Documents\\RuntimeBroker.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Contacts\\lsass.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\""	injection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\upfc.exe\""	injection.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	injection.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	injection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ipinfo.io
30	ipinfo.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_th.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_hi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_is.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_zh-CN.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\setup.exe	100.0.4896.88_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_ur.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_tr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\sl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_et.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\psuser_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_tr.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12380_1611291205\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ro.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_sr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_hi.dll	GoogleUpdateSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_da.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_it.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_bn.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_it.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_sl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_cs.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_lt.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_es.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_id.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateSetup.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_hr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_bn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_cs.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_hu.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_zh-CN.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\goopdateres_pl.dll	GoogleUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUMA592.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\ja.pak	setup.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\27d1bcfc3c54e0	injection.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_uk.dll	GoogleUpdateSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\goopdateres_fa.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\100.0.4896.88_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5248_1670641873\Chrome-bin\100.0.4896.88\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_nl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleCrashHandler.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_fa.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC592.tmp\goopdateres_pt-PT.dll	GoogleUpdateSetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\MusNotification.exe	injection.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 56 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5064	schtasks.exe
2672	schtasks.exe
3996	schtasks.exe
3512	schtasks.exe
4064	schtasks.exe
4444	schtasks.exe
2648	schtasks.exe
4612	schtasks.exe
4160	schtasks.exe
1616	schtasks.exe
2844	schtasks.exe
4420	schtasks.exe
1320	schtasks.exe
4644	schtasks.exe
4624	schtasks.exe
4200	schtasks.exe
4236	schtasks.exe
3256	schtasks.exe
4252	schtasks.exe
1404	schtasks.exe
4860	schtasks.exe
4304	schtasks.exe
2348	schtasks.exe
1752	schtasks.exe
3104	schtasks.exe
1180	schtasks.exe
4192	schtasks.exe
224	schtasks.exe
2552	schtasks.exe
4140	schtasks.exe
3460	schtasks.exe
3440	schtasks.exe
4648	schtasks.exe
4748	schtasks.exe
208	schtasks.exe
4336	schtasks.exe
4164	schtasks.exe
2368	schtasks.exe
4588	schtasks.exe
440	schtasks.exe
4584	schtasks.exe
3156	schtasks.exe
3472	schtasks.exe
1296	schtasks.exe
1684	schtasks.exe
4888	schtasks.exe
4472	schtasks.exe
4956	schtasks.exe
1100	schtasks.exe
2972	schtasks.exe
4220	schtasks.exe
3880	schtasks.exe
1936	schtasks.exe
3720	schtasks.exe
4260	schtasks.exe
1424	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods\ = "43"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ = "IGoogleUpdate3WebSecurity"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ = "Google Update Process Launcher Class"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ProgID\ = "GoogleUpdate.PolicyStatusMachineFallback.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.121\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods\ = "24"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods\ = "4"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\CLSID\ = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.121\\goopdate.dll,-1004"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CLSID\ = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ = "IPolicyStatus3"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ServiceParameters = "/comsvc"	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\Elevation\Enabled = "1"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2732F2FE-BCF7-4CE1-8ABD-951329519827}\InprocHandler32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ = "IApp2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ = "ICoCreateAsyncStatus"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ = "IGoogleUpdate3"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ = "IPolicyStatus"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods\ = "11"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
2440	injection.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
4516	RuntimeBroker.exe
1304	chrome.exe
1304	chrome.exe
1936	chrome.exe
1936	chrome.exe
1376	chrome.exe
1376	chrome.exe
476	chrome.exe
476	chrome.exe
2320	chrome.exe
2320	chrome.exe
1924	chrome.exe
1924	chrome.exe
4260	chrome.exe
4260	chrome.exe
2976	chrome.exe
2976	chrome.exe
4008	chrome.exe
4008	chrome.exe
4224	chrome.exe
4224	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4516	RuntimeBroker.exe
5084	NOTEPAD.EXE
1420	taskmgr.exe
6764	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	injection.exe
Token: SeDebugPrivilege	4516	RuntimeBroker.exe
Token: SeShutdownPrivilege	4316	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4316	SystemSettings.exe
Token: SeShutdownPrivilege	4316	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4316	SystemSettings.exe
Token: SeDebugPrivilege	1420	taskmgr.exe
Token: SeSystemProfilePrivilege	1420	taskmgr.exe
Token: SeCreateGlobalPrivilege	1420	taskmgr.exe
Token: SeDebugPrivilege	4456	spoolsv.exe
Token: SeDebugPrivilege	860	fontdrvhost.exe
Token: SeDebugPrivilege	1404	winlogon.exe
Token: SeDebugPrivilege	4572	OfficeClickToRun.exe
Token: SeDebugPrivilege	3672	Registry.exe
Token: SeDebugPrivilege	3468	GoogleUpdate.exe
Token: SeDebugPrivilege	3468	GoogleUpdate.exe
Token: SeDebugPrivilege	3468	GoogleUpdate.exe
Token: SeDebugPrivilege	3468	GoogleUpdate.exe
Token: SeDebugPrivilege	2376	GoogleUpdate.exe
Token: SeDebugPrivilege	3596	sihost.exe
Token: SeDebugPrivilege	12544	GoogleUpdate.exe
Token: SeDebugPrivilege	3672	GoogleUpdate.exe
Token: 33	5632	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	5632	GoogleCrashHandler.exe
Token: 33	5648	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	5648	GoogleCrashHandler64.exe
Token: SeDebugPrivilege	5748	GoogleUpdate.exe
Token: SeDebugPrivilege	5888	GoogleUpdate.exe
Token: SeDebugPrivilege	5888	GoogleUpdate.exe
Token: SeDebugPrivilege	5888	GoogleUpdate.exe
Token: SeDebugPrivilege	12972	GoogleUpdate.exe
Token: SeDebugPrivilege	6236	Registry.exe
Token: SeDebugPrivilege	6312	lsass.exe
Token: 33	1420	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1420	taskmgr.exe
Token: SeDebugPrivilege	3832	spoolsv.exe
Token: SeDebugPrivilege	11252	upfc.exe
Token: SeDebugPrivilege	6764	taskmgr.exe
Token: SeSystemProfilePrivilege	6764	taskmgr.exe
Token: SeCreateGlobalPrivilege	6764	taskmgr.exe
Token: SeDebugPrivilege	8620	OfficeClickToRun.exe
Token: SeDebugPrivilege	12312	fontdrvhost.exe
Token: SeDebugPrivilege	9424	winlogon.exe
Token: SeDebugPrivilege	10588	System.exe
Token: SeDebugPrivilege	10800	RuntimeBroker.exe
Token: 33	11812	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	11812	GoogleCrashHandler.exe
Token: SeDebugPrivilege	11788	GoogleUpdate.exe
Token: 33	5536	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	5536	GoogleCrashHandler64.exe
Token: 33	11584	GoogleUpdate.exe
Token: SeIncBasePriorityPrivilege	11584	GoogleUpdate.exe
Token: SeDebugPrivilege	5732	Registry.exe
Token: SeDebugPrivilege	11636	GoogleUpdate.exe
Token: SeDebugPrivilege	6028	spoolsv.exe
Token: 33	3808	100.0.4896.88_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	3808	100.0.4896.88_chrome_installer.exe
Token: SeDebugPrivilege	12544	GoogleUpdate.exe
Token: SeDebugPrivilege	12632	GoogleUpdate.exe
Token: SeDebugPrivilege	12816	sihost.exe
Token: SeDebugPrivilege	7324	fontdrvhost.exe
Token: SeDebugPrivilege	13168	Registry.exe
Token: SeDebugPrivilege	7532	winlogon.exe
Token: SeDebugPrivilege	8012	lsass.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4316	SystemSettings.exe
1924	chrome.exe
5084	NOTEPAD.EXE
5084	NOTEPAD.EXE
5084	NOTEPAD.EXE
6948	ShellExperienceHost.exe
6948	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4516	2440	injection.exe	139
PID 2440 wrote to memory of 4516	2440	injection.exe	139
PID 4516 wrote to memory of 2236	4516	RuntimeBroker.exe	143
PID 4516 wrote to memory of 2236	4516	RuntimeBroker.exe	143
PID 4516 wrote to memory of 2340	4516	RuntimeBroker.exe	144
PID 4516 wrote to memory of 2340	4516	RuntimeBroker.exe	144
PID 1936 wrote to memory of 5008	1936	chrome.exe	154
PID 1936 wrote to memory of 5008	1936	chrome.exe	154
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 3424	1936	chrome.exe	155
PID 1936 wrote to memory of 1304	1936	chrome.exe	156
PID 1936 wrote to memory of 1304	1936	chrome.exe	156
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159
PID 1936 wrote to memory of 4256	1936	chrome.exe	159

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	injection.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	injection.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	injection.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\injection.exe
"C:\Users\Admin\AppData\Local\Temp\injection.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  "C:\Recovery\WindowsRE\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4516
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a482ffc8-279e-4363-88f4-6371121688aa.vbs"
    3⤵
    PID:2236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b307e2-8cee-41da-a42f-8a31670bfaf6.vbs"
    3⤵
    PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONSTART /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONSTART /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft\AppV\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\AppV\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\ProgramData\Microsoft\AppV\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Microsoft\AppV\Setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 10 /tr "'C:\ProgramData\ssh\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\ProgramData\ssh\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\ProgramData\ssh\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\ProgramData\ssh\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files\Windows NT\TableTextService\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0f994f50,0x7ffb0f994f60,0x7ffb0f994f70
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:908
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff754a6a890,0x7ff754a6a8a0,0x7ff754a6a8b0
    3⤵
    PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=812 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1088 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:9288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:11232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:12512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:13156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:12308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:6624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,558931907399244988,9540667975260604135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:8612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1428

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:1868

C:\Users\Admin\Searches\fontdrvhost.exe
C:\Users\Admin\Searches\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\odt\winlogon.exe
C:\odt\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\Links\OfficeClickToRun.exe
C:\Users\Admin\Links\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
  2⤵
  PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
    3⤵
    PID:4428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
      4⤵
      PID:3256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        5⤵
        
        PID:3480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        6⤵
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        7⤵
        
        PID:1172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        8⤵
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        9⤵
        
        PID:536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        10⤵
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        11⤵
        
        PID:3648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        12⤵
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        13⤵
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        14⤵
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        15⤵
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        16⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        17⤵
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        18⤵
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        19⤵
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        20⤵
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        21⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        22⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        23⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        24⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        25⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        26⤵
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        27⤵
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        28⤵
        
        PID:4364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        29⤵
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        30⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        31⤵
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        32⤵
        
        PID:5128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        33⤵
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        34⤵
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        35⤵
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        36⤵
        
        PID:5336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        37⤵
        
        PID:5392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        38⤵
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        39⤵
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        40⤵
        
        PID:5556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        41⤵
        
        PID:5604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        42⤵
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        43⤵
        
        PID:5700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        44⤵
        
        PID:5752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        45⤵
        
        PID:5800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        46⤵
        
        PID:5848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        47⤵
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        48⤵
        
        PID:5944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        49⤵
        
        PID:6000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        50⤵
        
        PID:6052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        51⤵
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        52⤵
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        53⤵
        
        PID:5356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        54⤵
        
        PID:5520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        55⤵
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        56⤵
        
        PID:5952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        57⤵
        
        PID:5192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        58⤵
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        59⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        60⤵
        
        PID:6240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        61⤵
        
        PID:6288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        62⤵
        
        PID:6332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        63⤵
        
        PID:6376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        64⤵
        
        PID:6420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        65⤵
        
        PID:6468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        66⤵
        
        PID:6512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        67⤵
        
        PID:6556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        68⤵
        
        PID:6600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        69⤵
        
        PID:6644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        70⤵
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        71⤵
        
        PID:6744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        72⤵
        
        PID:6792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        73⤵
        
        PID:6836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        74⤵
        
        PID:6880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        75⤵
        
        PID:6932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        76⤵
        
        PID:6980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        77⤵
        
        PID:7024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        78⤵
        
        PID:7068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        79⤵
        
        PID:7112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        80⤵
        
        PID:7156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        81⤵
        
        PID:6300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        82⤵
        
        PID:6656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        83⤵
        
        PID:6952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        84⤵
        
        PID:7172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        85⤵
        
        PID:7216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        86⤵
        
        PID:7264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        87⤵
        
        PID:7308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        88⤵
        
        PID:7352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        89⤵
        
        PID:7396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        90⤵
        
        PID:7440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        91⤵
        
        PID:7484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        92⤵
        
        PID:7536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        93⤵
        
        PID:7580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        94⤵
        
        PID:7624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        95⤵
        
        PID:7668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        96⤵
        
        PID:7720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        97⤵
        
        PID:7764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        98⤵
        
        PID:7808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        99⤵
        
        PID:7852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        100⤵
        
        PID:7900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        101⤵
        
        PID:7944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        102⤵
        
        PID:7988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        103⤵
        
        PID:8032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        104⤵
        
        PID:8080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        105⤵
        
        PID:8124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        106⤵
        
        PID:8168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        107⤵
        
        PID:7364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        108⤵
        
        PID:7732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        109⤵
        
        PID:8092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        110⤵
        
        PID:8216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        111⤵
        
        PID:8260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        112⤵
        
        PID:8308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        113⤵
        
        PID:8352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        114⤵
        
        PID:8400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        115⤵
        
        PID:8448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        116⤵
        
        PID:8508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        117⤵
        
        PID:8560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        118⤵
        
        PID:8624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        119⤵
        
        PID:8680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        120⤵
        
        PID:8744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        121⤵
        
        PID:8796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        122⤵
        
        PID:8848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        123⤵
        
        PID:8908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        124⤵
        
        PID:8960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        125⤵
        
        PID:9012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        126⤵
        
        PID:9068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        127⤵
        
        PID:9120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        128⤵
        
        PID:9172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        129⤵
        
        PID:8280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        130⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        131⤵
        
        PID:4272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        132⤵
        
        PID:9024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        133⤵
        
        PID:9224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        134⤵
        
        PID:9276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        135⤵
        
        PID:9336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        136⤵
        
        PID:9388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        137⤵
        
        PID:9448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        138⤵
        
        PID:9500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        139⤵
        
        PID:9568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        140⤵
        
        PID:9624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        141⤵
        
        PID:9684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        142⤵
        
        PID:9736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        143⤵
        
        PID:9796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        144⤵
        
        PID:9848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        145⤵
        
        PID:9916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        146⤵
        
        PID:9976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        147⤵
        
        PID:10036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        148⤵
        
        PID:10088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        149⤵
        
        PID:10140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        150⤵
        
        PID:10200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        151⤵
        
        PID:9460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        152⤵
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        153⤵
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        154⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        155⤵
        
        PID:10272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        156⤵
        
        PID:10328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        157⤵
        
        PID:10384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        158⤵
        
        PID:10436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        159⤵
        
        PID:10488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        160⤵
        
        PID:10540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        161⤵
        
        PID:10592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        162⤵
        
        PID:10660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        163⤵
        
        PID:10712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        164⤵
        
        PID:10764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        165⤵
        
        PID:10824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        166⤵
        
        PID:10884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        167⤵
        
        PID:10936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        168⤵
        
        PID:10988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        169⤵
        
        PID:11052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        170⤵
        
        PID:11096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        171⤵
        
        PID:11160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        172⤵
        
        PID:11216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        173⤵
        
        PID:10396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        174⤵
        
        PID:6464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        175⤵
        
        PID:11064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        176⤵
        
        PID:11272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        177⤵
        
        PID:11348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        178⤵
        
        PID:11420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        179⤵
        
        PID:11548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        180⤵
        
        PID:11600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        181⤵
        
        PID:11652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        182⤵
        
        PID:11704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        183⤵
        
        PID:11756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        184⤵
        
        PID:11816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        185⤵
        
        PID:11880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        186⤵
        
        PID:11932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        187⤵
        
        PID:11996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        188⤵
        
        PID:12048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        189⤵
        
        PID:12100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        190⤵
        
        PID:12156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        191⤵
        
        PID:12208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        192⤵
        
        PID:12268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        193⤵
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        194⤵
        
        PID:11836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        195⤵
        
        PID:12112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        196⤵
        
        PID:12296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\New Text Document.bat"
        197⤵
        
        PID:12348

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:12380
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12380_1611291205\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12380_1611291205\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={8b0de0e8-1cf3-4dc9-b8ad-d6f3882f1473} --system
  2⤵
  - Executes dropped EXE
  PID:3832
- - C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12380_1611291205\GoogleUpdateSetup.exe
    "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12380_1611291205\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1376
  - - C:\Program Files (x86)\Google\Temp\GUMC592.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUMC592.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:3468
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1236
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:8896
      - C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4484
      - C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1984
      - C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:9064
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjZFMzJGRkQtMkJGNS00RDQxLUEzODMtQkIyREVENzZDOTFEfSIgdXNlcmlkPSJ7RjQ1QTA5MjYtRDREQy00OUQyLUI1RjctRDVCQTZEQjA1QjM2fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0Y4MTE3QTI2LUNENkMtNERBNS1CQ0QzLUIzN0U5MTU1RTEwNX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjEyMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMDE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:12544

C:\ProgramData\ssh\sihost.exe
C:\ProgramData\ssh\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3672
- C:\Program Files (x86)\Google\Update\Install\{32E153D7-2629-43C0-A714-5465DDD0E403}\GoogleUpdateSetup.exe
  "C:\Program Files (x86)\Google\Update\Install\{32E153D7-2629-43C0-A714-5465DDD0E403}\GoogleUpdateSetup.exe" /update /sessionid "{026C9273-0CA2-45FC-BFC7-7C4D1EB1462B}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5600
- - C:\Program Files (x86)\Google\Temp\GUMA592.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUMA592.tmp\GoogleUpdate.exe" /update /sessionid "{026C9273-0CA2-45FC-BFC7-7C4D1EB1462B}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5888
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:5988
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:5256
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5468
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5660
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6068
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDI2QzkyNzMtMENBMi00NUZDLUJGQzctN0M0RDFFQjE0NjJCfSIgdXNlcmlkPSJ7RjQ1QTA5MjYtRDREQy00OUQyLUI1RjctRDVCQTZEQjA1QjM2fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NjNDQkI1MUYtOEJBNC00N0NELThFNzgtQzI4OEZEOThDMEU4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTIxIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjEyMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjIxNVIiIGluc3RhbGxhZ2U9IjkxIiBpbnN0YWxsZGF0ZT0iNTU3OSIgY29ob3J0PSIxOjljbzoxNGxmQDAuMDAxNDAwMDAwMDAwMDAwMDAwMiIgY29ob3J0bmFtZT0iRXZlcnlvbmUgRWxzZSI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:12972
- C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5632
- C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.121\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDI2QzkyNzMtMENBMi00NUZDLUJGQzctN0M0RDFFQjE0NjJCfSIgdXNlcmlkPSJ7RjQ1QTA5MjYtRDREQy00OUQyLUI1RjctRDVCQTZEQjA1QjM2fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0RCNTFBQkJFLUJBNTUtNDRCRi1CNjQ1LTIwNTkwOUM1MUJBOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjEyMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIyMTVSIiBpbnN0YWxsYWdlPSI5MSIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoxNGxmQDAuMDAxNDAwMDAwMDAwMDAwMDAwMiIgY29ob3J0bmFtZT0iRXZlcnlvbmUgRWxzZSI-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9yZWRpcmVjdG9yLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2hveWI1NGx3eXh3ajI1cHJpeG1ibmltem40XzEuMy4zNi4xMjIvR29vZ2xlVXBkYXRlU2V0dXAuZXhlIiBkb3dubG9hZGVkPSIxMzQzMzIwIiB0b3RhbD0iMTM0MzMyMCIgZG93bmxvYWRfdGltZV9tcz0iMTIyNTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjIxNVIiIGluc3RhbGxhZ2U9IjkxIiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iOSIgZXJyb3Jjb2RlPSItMTYwNjIxOTc0OCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5748

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:180

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6236

C:\Users\Admin\Contacts\lsass.exe
C:\Users\Admin\Contacts\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6312

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6948

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe
"C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6764

C:\Users\Admin\Searches\fontdrvhost.exe
C:\Users\Admin\Searches\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:12312

C:\odt\winlogon.exe
C:\odt\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:9424

C:\Users\Admin\Links\OfficeClickToRun.exe
C:\Users\Admin\Links\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8620

C:\Program Files\Windows NT\TableTextService\en-US\System.exe
"C:\Program Files\Windows NT\TableTextService\en-US\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:10588

C:\Users\Default\My Documents\RuntimeBroker.exe
"C:\Users\Default\My Documents\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:10800

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:11584
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:11788
- C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:11812
- C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:13272

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:11636

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:12544
- C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\100.0.4896.88_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\100.0.4896.88_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- - C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    PID:5248
  - - C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{376FB8D7-C48B-413A-8D60-7F265640863B}\CR_868AB.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=100.0.4896.88 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff652373828,0x7ff652373838,0x7ff652373848
      4⤵
      Executes dropped EXE
      PID:12468
- C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  PID:12604
- C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  PID:12616
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjUyMkUwNzgtOTU5Ni00NUVGLUE3RjgtMzI5Nzg3NzQ2MUUyfSIgdXNlcmlkPSJ7RjQ1QTA5MjYtRDREQy00OUQyLUI1RjctRDVCQTZEQjA1QjM2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins1QTIzRjg3Ny03ODNCLTQ2MzAtOUQyQi0xQ0I5NEY0RjY5QjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIxMDAuMC40ODk2Ljg4IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIyMTVSIiBpbnN0YWxsYWdlPSI5MSIgaW5zdGFsbGRhdGU9IjU1NzkiIGNvaG9ydD0iMTpndToiIGNvaG9ydG5hbWU9IlN0YWJsZSI-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9yZWRpcmVjdG9yLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvYnBsaW9vazJrenh3ZnhsdjVjc2l5dXZ4bGVfMTAwLjAuNDg5Ni44OC8xMDAuMC40ODk2Ljg4X2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSI4MzE4MDcwNCIgdG90YWw9IjgzMTgwNzA0IiBkb3dubG9hZF90aW1lX21zPSIyOTkzOCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMDkiIGRvd25sb2FkX3RpbWVfbXM9IjMxNTAwIiBkb3dubG9hZGVkPSI4MzE4MDcwNCIgdG90YWw9IjgzMTgwNzA0IiBpbnN0YWxsX3RpbWVfbXM9IjIxMDQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:12632

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\ProgramData\ssh\sihost.exe
C:\ProgramData\ssh\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:12816

C:\Users\Admin\Searches\fontdrvhost.exe
C:\Users\Admin\Searches\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7324

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:13168

C:\odt\winlogon.exe
C:\odt\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7532

C:\Users\Admin\Contacts\lsass.exe
C:\Users\Admin\Contacts\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8012

C:\Users\Admin\Links\OfficeClickToRun.exe
C:\Users\Admin\Links\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:7696

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:8232

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe
"C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe"
1⤵
- Executes dropped EXE
PID:8944

C:\Users\Admin\Searches\fontdrvhost.exe
C:\Users\Admin\Searches\fontdrvhost.exe
1⤵
- Executes dropped EXE
PID:9648

C:\odt\winlogon.exe
C:\odt\winlogon.exe
1⤵
- Executes dropped EXE
PID:9752

C:\Users\Admin\Links\OfficeClickToRun.exe
C:\Users\Admin\Links\OfficeClickToRun.exe
1⤵
PID:9412

C:\ProgramData\ssh\sihost.exe
C:\ProgramData\ssh\sihost.exe
1⤵
PID:9468

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
PID:9940

C:\Program Files\Windows NT\TableTextService\en-US\System.exe
"C:\Program Files\Windows NT\TableTextService\en-US\System.exe"
1⤵
PID:10504

C:\Users\Default\My Documents\RuntimeBroker.exe
"C:\Users\Default\My Documents\RuntimeBroker.exe"
1⤵
PID:10608

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
PID:10528

C:\Users\Admin\Contacts\lsass.exe
C:\Users\Admin\Contacts\lsass.exe
1⤵
PID:12396

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
PID:11684

C:\Users\Admin\Searches\fontdrvhost.exe
C:\Users\Admin\Searches\fontdrvhost.exe
1⤵
PID:11168

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
PID:11556

C:\odt\winlogon.exe
C:\odt\winlogon.exe
1⤵
PID:8968

C:\Users\Admin\Links\OfficeClickToRun.exe
C:\Users\Admin\Links\OfficeClickToRun.exe
1⤵
PID:7012

C:\ProgramData\ssh\sihost.exe
C:\ProgramData\ssh\sihost.exe
1⤵
PID:6848

C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe
"C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe"
1⤵
PID:9948

C:\Program Files\Windows Portable Devices\spoolsv.exe
"C:\Program Files\Windows Portable Devices\spoolsv.exe"
1⤵
PID:7156

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
PID:7996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery