babadeda | hxxp://www[.]ssrllc[.]com/publication/portfolio-update-shopping-the-bargain-bin/

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\105.0.5195.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe

Registers COM server for autorun 1 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\105.0.5195.127\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\105.0.5195.127\\notification_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetSupport.url	gwspro.exe

Loads dropped DLL 64 IoCs

pid	Process
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe
380	gwspro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	gwspro.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	gwspro.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdate.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_en.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_am.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_ar.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\105.0.5195.127.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\eventlog_provider.dll	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2376_2097629646\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\ml.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_da.dll	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_hi.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_sv.dll	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\fi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe	105.0.5195.127_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdateCore.exe	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_is.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_sw.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_th.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleCrashHandler.exe	uninstall.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_es.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleCrashHandler64.exe	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdateBroker.exe	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_pt-PT.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_sk.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdateSetup.exe	uninstall.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_fil.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_pl.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_fil.dll	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdateOnDemand.exe	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\sk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\VisualElements\Logo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_de.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_pt-BR.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_te.dll	uninstall.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_ms.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\elevation_service.exe	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2376_2097629646\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\psmachine.dll	uninstall.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_en.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1668_1434994529\Chrome-bin\105.0.5195.127\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\goopdateres_no.dll	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	chrome.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Cloudflare_security_install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Cloudflare_security_install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cloudflare_security_install.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ProgID\ = "GoogleUpdate.PolicyStatusMachineFallback.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ = "IPolicyStatusValue"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ = "IApp"	GoogleUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ = "IGoogleUpdateCore"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\CLSID\ = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ = "ICoCreateAsync"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CurVer\ = "GoogleUpdate.CoCreateAsync.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ = "IGoogleUpdate3WebSecurity"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\ChromeHTML	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\AppID = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods\ = "6"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A50E9E56-BA18-4FCD-8DDF-B91F12D0B6B9}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2188	chrome.exe
2188	chrome.exe
1988	chrome.exe
1988	chrome.exe
808	chrome.exe
808	chrome.exe
2284	chrome.exe
2284	chrome.exe
2756	chrome.exe
2756	chrome.exe
4560	chrome.exe
4560	chrome.exe
3936	chrome.exe
3936	chrome.exe
4920	chrome.exe
4920	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
396	Cloudflare_security_install.exe
396	Cloudflare_security_install.exe
2792	GoogleUpdate.exe
2792	GoogleUpdate.exe
2792	GoogleUpdate.exe
2792	GoogleUpdate.exe
2792	GoogleUpdate.exe
2792	GoogleUpdate.exe
1364	GoogleUpdate.exe
1364	GoogleUpdate.exe
2312	chrome.exe
2312	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	GoogleUpdate.exe
Token: SeDebugPrivilege	2792	GoogleUpdate.exe
Token: SeDebugPrivilege	2792	GoogleUpdate.exe
Token: SeSecurityPrivilege	1184	client32.exe
Token: 33	4952	105.0.5195.127_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	4952	105.0.5195.127_chrome_installer.exe
Token: 33	4160	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	4160	GoogleCrashHandler64.exe
Token: 33	3528	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	3528	GoogleCrashHandler.exe
Token: SeDebugPrivilege	1364	GoogleUpdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1184	client32.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4620	1988	chrome.exe	81
PID 1988 wrote to memory of 4620	1988	chrome.exe	81
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 4244	1988	chrome.exe	84
PID 1988 wrote to memory of 2188	1988	chrome.exe	85
PID 1988 wrote to memory of 2188	1988	chrome.exe	85
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86
PID 1988 wrote to memory of 4452	1988	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.ssrllc.com/publication/portfolio-update-shopping-the-bargain-bin/
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbca814f50,0x7ffbca814f60,0x7ffbca814f70
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=916 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=992 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,8199069850206392189,5659133210721084776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4472

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2376
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2376_2097629646\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2376_2097629646\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={6dbfa086-a771-4d2c-a1c3-38795d75b389} --system
  2⤵
  - Executes dropped EXE
  PID:4280

\??\E:\Cloudflare_security_install.exe
"E:\Cloudflare_security_install.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:396
- C:\Users\Admin\AppData\Roaming\Steelray Project Viewer\gwspro.exe
  "C:\Users\Admin\AppData\Roaming\Steelray Project Viewer\gwspro.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  PID:380
- - C:\Users\Admin\AppData\Roaming\NetSupport_v_2.26548\client32.exe
    "C:\Users\Admin\AppData\Roaming\NetSupport_v_2.26548\client32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1184
- - C:\Users\Admin\AppData\Roaming\NetSupport_v_2.26548\uninstall.exe
    "C:\Users\Admin\AppData\Roaming\NetSupport_v_2.26548\uninstall.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2140
  - - C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUMAC7D.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1266CA4D-0917-452A-19FA-B8B51EF60ACD}&lang=ru&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:992
      - C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:932
      - C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4920
      - C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4172
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTg1Q0NENDEtOTc3Qi00MzZFLUIyMUMtMTNGMEYyQ0I5OEZGfSIgdXNlcmlkPSJ7NUEwNkFERjItN0Y0Ny00MUZGLTgzOTMtRkZFOUY5RjRGRUI1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezM0N0Q0QzU2LTAwMUQtNDQ5QS1CRUVBLUM0MDI0NDFCMzBGRn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjcxIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjEzMiIgbGFuZz0icnUiIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9InsxMjY2Q0E0RC0wOTE3LTQ1MkEtMTlGQS1COEI1MUVGNjBBQ0R9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9Ijk5OTMiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        
        PID:2312
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1266CA4D-0917-452A-19FA-B8B51EF60ACD}&lang=ru&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{A85CCD41-977B-436E-B21C-13F0F2CB98FF}"
        5⤵
        Executes dropped EXE
        
        PID:2344

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
PID:1604
- C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\105.0.5195.127_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\105.0.5195.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\guiAF9.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- - C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\guiAF9.tmp"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1668
  - - C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=105.0.5195.127 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7fbb40098,0x7ff7fbb400a8,0x7ff7fbb400b8
      4⤵
      Executes dropped EXE
      PID:2488
  - - C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      PID:3604
    - - C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{AFAF6A6B-F319-47BC-BD6D-9DBF2FB1A742}\CR_2608E.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=105.0.5195.127 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7fbb40098,0x7ff7fbb400a8,0x7ff7fbb400b8
        5⤵
        Executes dropped EXE
        
        PID:4408
- C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTg1Q0NENDEtOTc3Qi00MzZFLUIyMUMtMTNGMEYyQ0I5OEZGfSIgdXNlcmlkPSJ7NUEwNkFERjItN0Y0Ny00MUZGLTgzOTMtRkZFOUY5RjRGRUI1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0FCQTEzODY2LTMyQkItNEVEMy05OTkyLTM2RTc3NDVDNDI1Q30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA1LjAuNTE5NS4xMjciIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9InJ1IiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMzgiIGlpZD0iezEyNjZDQTRELTA5MTctNDUyQS0xOUZBLUI4QjUxRUY2MEFDRH0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2FjaDdkYmJycTdhcXlsZmt4M3dtanJ2ZDN2amFfMTA1LjAuNTE5NS4xMjcvMTA1LjAuNTE5NS4xMjdfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9Ijg5NzAwNDAwIiB0b3RhbD0iODk3MDA0MDAiIGRvd25sb2FkX3RpbWVfbXM9IjgwNzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjI0MyIgZG93bmxvYWRfdGltZV9tcz0iOTgzOCIgZG93bmxvYWRlZD0iODk3MDA0MDAiIHRvdGFsPSI4OTcwMDQwMCIgaW5zdGFsbF90aW1lX21zPSIxNTAwOCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbca814f50,0x7ffbca814f60,0x7ffbca814f70
  2⤵
  PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery