b32074cd4b1a1894d9cbcb0f9c0bfd2bf4f4dcfcecf9e16df8ffd6ce16171c6e

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	VMware-workstation-full-17.0.0-20800274.exe

Looks for VMWare drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	DrvInst.exe

Modifies Installed Components in the registry 2 TTPs 9 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\112.0.5615.138\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vsock\ImagePath = "system32\\DRIVERS\\vsock.sys"	MsiExec.exe

Checks computer location settings 2 TTPs 51 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	vcredist_x86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	vcredist_x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 64 IoCs

pid	Process
6416	ChromeSetup.exe
5444	GoogleUpdate.exe
6976	GoogleUpdate.exe
4264	GoogleUpdate.exe
6184	GoogleUpdateComRegisterShell64.exe
6200	GoogleUpdateComRegisterShell64.exe
4260	GoogleUpdateComRegisterShell64.exe
3948	GoogleUpdate.exe
6232	GoogleUpdate.exe
4144	GoogleUpdate.exe
6972	112.0.5615.138_chrome_installer.exe
5952	setup.exe
1040	setup.exe
6848	setup.exe
6872	setup.exe
2148	GoogleCrashHandler.exe
4396	GoogleCrashHandler64.exe
4504	GoogleUpdate.exe
4788	chrome.exe
6532	chrome.exe
5964	chrome.exe
5372	chrome.exe
5264	chrome.exe
3380	chrome.exe
5596	chrome.exe
6712	elevation_service.exe
7160	chrome.exe
3180	chrome.exe
6664	chrome.exe
6748	chrome.exe
5548	chrome.exe
4292	chrome.exe
5060	chrome.exe
2088	chrome.exe
5216	chrome.exe
4236	chrome.exe
3752	chrome.exe
3768	chrome.exe
3428	chrome.exe
4604	chrome.exe
6128	chrome.exe
6028	chrome.exe
2180	chrome.exe
4316	chrome.exe
6724	chrome.exe
6004	chrome.exe
3000	chrome.exe
4384	chrome.exe
5568	chrome.exe
6892	chrome.exe
6852	chrome.exe
3452	chrome.exe
2288	chrome.exe
5044	chrome.exe
2640	chrome.exe
5540	chrome.exe
6140	chrome.exe
2708	chrome.exe
6220	chrome.exe
3708	chrome.exe
6076	chrome.exe
5572	chrome.exe
5040	chrome.exe
4500	chrome.exe

Loads dropped DLL 64 IoCs

pid	Process
5444	GoogleUpdate.exe
6976	GoogleUpdate.exe
4264	GoogleUpdate.exe
6184	GoogleUpdateComRegisterShell64.exe
4264	GoogleUpdate.exe
6200	GoogleUpdateComRegisterShell64.exe
4264	GoogleUpdate.exe
4260	GoogleUpdateComRegisterShell64.exe
4264	GoogleUpdate.exe
3948	GoogleUpdate.exe
6232	GoogleUpdate.exe
4144	GoogleUpdate.exe
4144	GoogleUpdate.exe
6232	GoogleUpdate.exe
4504	GoogleUpdate.exe
4788	chrome.exe
6532	chrome.exe
4788	chrome.exe
5372	chrome.exe
5964	chrome.exe
5372	chrome.exe
5964	chrome.exe
5264	chrome.exe
5964	chrome.exe
5964	chrome.exe
5964	chrome.exe
5964	chrome.exe
5264	chrome.exe
5964	chrome.exe
3380	chrome.exe
5596	chrome.exe
3380	chrome.exe
7160	chrome.exe
7160	chrome.exe
5596	chrome.exe
3180	chrome.exe
6664	chrome.exe
6664	chrome.exe
6748	chrome.exe
6748	chrome.exe
3180	chrome.exe
4788	chrome.exe
5548	chrome.exe
5548	chrome.exe
4292	chrome.exe
4292	chrome.exe
5060	chrome.exe
5060	chrome.exe
2088	chrome.exe
2088	chrome.exe
5216	chrome.exe
4236	chrome.exe
5216	chrome.exe
4236	chrome.exe
3752	chrome.exe
3752	chrome.exe
3768	chrome.exe
3768	chrome.exe
3428	chrome.exe
3428	chrome.exe
4604	chrome.exe
4604	chrome.exe
6128	chrome.exe
6128	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 40 IoCs

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LOCALSERVER32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ThreadingModel = "Both"	vnetlib64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\112.0.5615.138\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\112.0.5615.138\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmnetbridge.dll"	vnetlib64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.202\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9394EA54-BA1B-4CE7-B2E5-E28067460B93}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32	vnetlib64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 11 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vmware-tray.exe = "\"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware-tray.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a} = "\"C:\\ProgramData\\Package Cache\\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{2d507699-404c-4c8b-a54a-38e352f32cdd} = "\"C:\\ProgramData\\Package Cache\\{2d507699-404c-4c8b-a54a-38e352f32cdd}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	vmware.exe
File opened (read-only)	\??\R:	vmware.exe
File opened (read-only)	\??\B:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\Z:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	vmware.exe
File opened (read-only)	\??\A:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	vmware.exe
File opened (read-only)	\??\U:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\L:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\R:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	vmware.exe
File opened (read-only)	\??\O:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	vmware.exe
File opened (read-only)	\??\V:	vmware.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	vmware.exe
File opened (read-only)	\??\K:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\T:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\W:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\X:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	vmware.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	vmware.exe
File opened (read-only)	\??\O:	vmware.exe
File opened (read-only)	\??\G:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	vmware.exe
File opened (read-only)	\??\T:	vmware.exe
File opened (read-only)	\??\J:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\S:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\P:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	vmware.exe
File opened (read-only)	\??\W:	vmware.exe
File opened (read-only)	\??\V:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	vmware.exe
File opened (read-only)	\??\Z:	vmware.exe
File opened (read-only)	\??\F:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\E:	vmware.exe
File opened (read-only)	\??\Y:	vmware.exe
File opened (read-only)	\??\H:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\N:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\Y:	VMware-workstation-full-17.0.0-20800274.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	vmware.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vmware.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SET14A5.tmp	vnetlib64.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_9204dc61a7dee6f3\vmnetbridge.dll	DrvInst.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	vnetlib64.exe
File opened for modification	C:\Windows\system32\SET1A35.tmp	vnetlib64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{233135a7-5467-c941-9709-3011512bc979}\vnetinst.dll	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vnetlib64.dll	vnetlib64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vnetinst.dll	vnetlib64.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\perfc010.dat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dd85b35e-656c-0b42-9e03-3edcf7b07b52}\vmusb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	vnetlib64.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{233135a7-5467-c941-9709-3011512bc979}\vmnet.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_9204dc61a7dee6f3\netbridge.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmusb.inf_amd64_c603306f7f2b335a\vmusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_9204dc61a7dee6f3\vmnet.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	vnetlib64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	vnetlib64.exe
File opened for modification	C:\Windows\system32\DRVSTORE\vmx86_669FCD1D989372D507A41C017F9D9B620B285CD9\vmx86.inf	vnetlib64.exe
File created	C:\Windows\system32\SET57AA.tmp	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vmnat.exe	MsiExec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1360b14f-e8cd-694b-8e1a-22a3e1e78225}\SET1015.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_8e12d1edcc9e768d\netadapter.PNF	vnetlib64.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	vnetlib64.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{dd85b35e-656c-0b42-9e03-3edcf7b07b52}\SETFB22.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\hcmon_1E804F260BFD7A2F39698591B5E6FF49B1EB033B\hcmon.cat	vnetlib64.exe
File created	C:\Windows\system32\SET14A5.tmp	vnetlib64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_8e12d1edcc9e768d\vmnetadapter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_8e12d1edcc9e768d\vmnetadapter.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1360b14f-e8cd-694b-8e1a-22a3e1e78225}\vmnet.sys	DrvInst.exe
File created	C:\Windows\system32\perfh011.dat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	vnetlib64.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1360b14f-e8cd-694b-8e1a-22a3e1e78225}\vmnetbridge.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	vnetlib64.exe
File created	C:\Windows\System32\DriverStore\Temp\{233135a7-5467-c941-9709-3011512bc979}\SET38AC.tmp	DrvInst.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\goopdateres_fi.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\libcds.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\Workstation-17.0.0\32bit\vix.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\topics.html	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\tasks_toc.html	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\lang\c\functions\VixJob_GetError.html	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\goopdateres_de.dll	ChromeSetup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping4788_698825905\manifest.fingerprint	chrome.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\gobject-2.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\ThinPrint\tpviewdeu.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\env\ovftool-hw12-config-option.xml	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\env\ovftool-hw16-config-option.xml	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\lang\c\functions\VixVM_CreateDirectoryInGuest.html	msiexec.exe
File created	C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsock.sys	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\icuuc60.dll	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\psmachine_64.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\goopdateres_th.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\x64\PXE-LANCE.ROM	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\goopdateres_ar.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\vmnetbridge.cat	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\env\ovftool-hw11-config-option.xml	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\intro_toc.html	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\types\VixPowerState.html	msiexec.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\goopdateres_ru.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\112.0.5615.138_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\libexpat.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\vmnetUserif.sys	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\vmnetBridge.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\env\en\evc.vmsg	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\lang\c\functions\VixVM_FileExistsInGuest.html	msiexec.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping4788_1407207562\manifest.fingerprint	chrome.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\schemas\DMTF\CIM_ResourceAllocationSettingData.xsd	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\OVFTool\env\en\question.vmsg	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\index.html	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\lang\c\functions\VixVM_UpgradeVirtualHardware.html	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\psuser_64.dll	ChromeSetup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping4788_1900089391\manifest.fingerprint	chrome.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI64.ROM	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.dll	msiexec.exe
File created	C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\samples\nMakefile64bit	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\goopdateres_uk.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\goopdateres_fi.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Common Files\ThinPrint\TPPrintTicket.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\Workstation-17.0.0\32bit\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\intro.html	msiexec.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\VMware\VMware VIX\doc\lang\c\functions\VixVM_OpenUrlInGuest.html	msiexec.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\GoogleCrashHandler.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\psmachine.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\goopdateres_sl.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source5952_441579662\Chrome-bin\112.0.5615.138\112.0.5615.138.manifest	setup.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\open_source_licenses.txt	msiexec.exe
File created	C:\Program Files (x86)\VMware\VMware Workstation\x64\icudt44l.dat	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9D99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI608E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCF6.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d423c.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vnetlib64.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB62E.tmp	msiexec.exe
File created	C:\Windows\inf\VMware\vmPerfmon.ini	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI504D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d424c.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSIE8F.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5F23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB881.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI615C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD18.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF3AD.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI526A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{0E992720-1330-4AB3-8155-255F79785535}\_generic.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB580.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d4289.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB531.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5222.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI603F.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{38624EB5-356D-4B08-8357-C33D89A5C0C5}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vnetlib64.exe
File created	C:\Windows\Installer\SourceHash{46E11E7F-01E1-44D0-BB86-C67342D253DD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB134.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d423c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60FD.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d4260.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C96241EA-9900-4FE8-85B3-1E238D509DF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d4260.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA134.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	vnetlib64.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5FFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7111.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI618C.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e5d4271.msi	msiexec.exe
File created	C:\Windows\Installer\e5d425f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vnetlib64.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File created	C:\Windows\Installer\{0E992720-1330-4AB3-8155-255F79785535}\_generic.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem4.PNF	vnetlib64.exe
File created	C:\Windows\Installer\e5d4270.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF36E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6249.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE13.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5528	6204	WerFault.exe	293

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vnetlib64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	vnetlib64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	vnetlib64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	vmware.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	vmware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vmware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	vmware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	vmware.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vmware.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\SerialController	vmware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\SerialController	vmware.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\SerialController	vmware.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	vmware.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	vmware.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	vmware.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	vnetlib64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267615163589725"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\DeskTop	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	vnetlib64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vms\DefaultIcon\(Default) = "\"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCF091A9-85F7-4EDA-84A9-D09AFA9B057E}\TypeLib\ = "{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\ = "{2d507699-404c-4c8b-a54a-38e352f32cdd}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ova\VMware.OVAPackage	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\027299E003313BA4185552F597875553\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\AppID = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ = "IPackage"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vmtm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\InprocServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Workstation\\elevated.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc.1.0\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\ChromeHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.32.31326"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ = "IPolicyStatus2"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\ = "{9394EA54-BA1B-4CE7-B2E5-E28067460B93}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmba\OpenWithList\vmware.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ova	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\027299E003313BA4185552F597875553\SourceList\Media\14 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID\ = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID\ = "GoogleUpdate.CoreClass"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachine\CurVer\ = "GoogleUpdate.PolicyStatusMachine.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmt	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A686E3A-D57E-4B5C-A0A1-68D9BAB64C82}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ova\ = "VMware.OVAPackage"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89446985-4172-4883-A710-158277FCBF7B}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ova\OpenWithList\vmplayer.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods\ = "7"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmtm\VMware.TeamConfiguration\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFC76A6B-4873-458C-AB00-40B1FC028001}\InprocServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Workstation\\elevated.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{9394EA54-BA1B-4CE7-B2E5-E28067460B93}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass.1\CLSID\ = "{9B2340A0-4068-43D6-B404-32E27217859D}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE14269C00998EF4583BE132D805D96F\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VMware.Document\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\ = "13"	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation\Enabled = "1"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CurVer\ = "GoogleUpdate.CoCreateAsync.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\GoogleUpdateSetup.exe\:Zone.Identifier:$DATA	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateSetup.exe\:Zone.Identifier:$DATA	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
3772	setup.exe
3772	setup.exe
3772	setup.exe
3772	setup.exe
3772	setup.exe
3772	setup.exe
4488	msedge.exe
4488	msedge.exe
532	msedge.exe
532	msedge.exe
6684	identity_helper.exe
6684	identity_helper.exe
5444	GoogleUpdate.exe
5444	GoogleUpdate.exe
5444	GoogleUpdate.exe
5444	GoogleUpdate.exe
5444	GoogleUpdate.exe
5444	GoogleUpdate.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6232	GoogleUpdate.exe
6232	GoogleUpdate.exe
6232	GoogleUpdate.exe
6232	GoogleUpdate.exe
6184	taskmgr.exe
4504	GoogleUpdate.exe
4504	GoogleUpdate.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6184	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
6944	MsiExec.exe
652	Process not Found
652	Process not Found
724	Process not Found
820	Process not Found
3588	Process not Found
2928	Process not Found
3020	Process not Found
5516	Process not Found
7116	Process not Found
1980	Process not Found
4468	Process not Found
6796	Process not Found
6912	Process not Found
6800	Process not Found
1036	Process not Found
3456	Process not Found
6284	Process not Found
6140	Process not Found
6432	Process not Found
1504	Process not Found
1052	Process not Found
1112	Process not Found
7124	Process not Found
3576	Process not Found
5112	Process not Found
6192	Process not Found
6496	Process not Found
4852	Process not Found
5300	Process not Found
6740	Process not Found
7056	Process not Found
2720	Process not Found
4160	Process not Found
6764	Process not Found
7060	Process not Found
5292	Process not Found
6836	Process not Found
6608	Process not Found
444	Process not Found
996	Process not Found
756	Process not Found
2328	Process not Found
2120	Process not Found
6748	Process not Found
5004	Process not Found
4388	Process not Found
6084	Process not Found
6588	Process not Found
3748	Process not Found
2160	Process not Found
5740	Process not Found
4696	Process not Found
3216	Process not Found
6040	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 52 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
532	msedge.exe
532	msedge.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	6032	chrome.exe
Token: SeCreatePagefilePrivilege	6032	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	6032	chrome.exe
Token: SeCreatePagefilePrivilege	6032	chrome.exe
Token: SeShutdownPrivilege	6032	chrome.exe
Token: SeCreatePagefilePrivilege	6032	chrome.exe
Token: SeShutdownPrivilege	5948	chrome.exe
Token: SeCreatePagefilePrivilege	5948	chrome.exe
Token: SeShutdownPrivilege	5948	chrome.exe
Token: SeCreatePagefilePrivilege	5948	chrome.exe
Token: SeShutdownPrivilege	5948	chrome.exe
Token: SeCreatePagefilePrivilege	5948	chrome.exe
Token: SeShutdownPrivilege	5948	chrome.exe
Token: SeCreatePagefilePrivilege	5948	chrome.exe
Token: SeShutdownPrivilege	5948	chrome.exe
Token: SeCreatePagefilePrivilege	5948	chrome.exe
Token: SeBackupPrivilege	3772	setup.exe
Token: SeRestorePrivilege	3772	setup.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5444	GoogleUpdate.exe
Token: SeDebugPrivilege	5444	GoogleUpdate.exe
Token: SeDebugPrivilege	5444	GoogleUpdate.exe
Token: 33	6972	112.0.5615.138_chrome_installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
532	msedge.exe
6848	setup.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe
6184	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
6180	vmware.exe
1820	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2088	5076	chrome.exe	94
PID 5076 wrote to memory of 2088	5076	chrome.exe	94
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 4420	5076	chrome.exe	95
PID 5076 wrote to memory of 5100	5076	chrome.exe	96
PID 5076 wrote to memory of 5100	5076	chrome.exe	96
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97
PID 5076 wrote to memory of 1396	5076	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Captures 11_20_2022 2_27_35 PM.png"
1⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea4109758,0x7ffea4109768,0x7ffea4109778
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1812,i,15660957706790156952,16156798575614083801,131072 /prefetch:8
  2⤵
  PID:5584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --uninstall --system-level
1⤵
PID:5976
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6fd8a7688,0x7ff6fd8a7698,0x7ff6fd8a76a8
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
  2⤵
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:6032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea4109758,0x7ffea4109768,0x7ffea4109778
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1692,i,3594330422082676723,12873480627374289710,131072 /prefetch:2
    3⤵
    PID:1708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1692,i,3594330422082676723,12873480627374289710,131072 /prefetch:8
    3⤵
    PID:2184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --uninstall --system-level
1⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6fd8a7688,0x7ff6fd8a7698,0x7ff6fd8a76a8
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
  2⤵
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea4109758,0x7ffea4109768,0x7ffea4109778
    3⤵
    PID:1160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2004,i,4707320422496599891,9932517001688779875,131072 /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=364 --field-trial-handle=2004,i,4707320422496599891,9932517001688779875,131072 /prefetch:8
    3⤵
    PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://support.google.com/chrome?p=chrome_uninstall_survey&crversion=106.0.5249.119&os=10.0.19041
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffea41146f8,0x7ffea4114708,0x7ffea4114718
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
    3⤵
    PID:5660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
    3⤵
    PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:3440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x100,0x10c,0x104,0x7ff6f8155460,0x7ff6f8155470,0x7ff6f8155480
      4⤵
      PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1833866506518092536,15557510348516945445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.0.1676410736\675419985" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1656 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0996e4c-a337-48f3-b455-058fff5447b6} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 1932 21f67e19258 gpu
    3⤵
    PID:3728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.1.1025189813\1833829679" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb874c1e-971c-4f02-95f7-dc0367cd3359} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 2332 21f59f6fe58 socket
    3⤵
    - Checks processor information in registry
    PID:5732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.2.1550981112\74060783" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 2896 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {124dfb76-0a3a-41da-8bf0-b7b3d0476c94} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 1676 21f6ab06b58 tab
    3⤵
    PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.3.19960486\1077581338" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3232 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ef3fb7-d339-4a52-b1de-ae1eed6f1e13} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 3532 21f6ab05958 tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.4.319003918\374911311" -childID 3 -isForBrowser -prefsHandle 4060 -prefMapHandle 4068 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44ff8fc-56dc-406e-aff2-c57cee5f3709} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 4088 21f59f61358 tab
    3⤵
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.5.198899627\1289836193" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6968e8d1-47dc-43f4-a170-218a83604733} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 5024 21f6cce4f58 tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.6.236544111\2012270996" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 4828 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51552a55-2855-4cfc-b358-ce3bfef7ec57} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 4764 21f6d0ece58 tab
    3⤵
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.7.760803792\636197370" -childID 6 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {991fb4aa-0bfb-4d9f-b146-ff8bc3dbbb7d} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 5312 21f6d0ed158 tab
    3⤵
    PID:5648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.8.2044768948\1524487147" -childID 7 -isForBrowser -prefsHandle 5816 -prefMapHandle 5832 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {089596d8-7365-4a82-afc2-089b14693937} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 5824 21f6e390458 tab
    3⤵
    PID:7140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.9.194599941\1279145518" -childID 8 -isForBrowser -prefsHandle 3196 -prefMapHandle 3152 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aecf14d7-8f3b-4d77-9919-148add1071de} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 3264 21f6f1a7458 tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5508.10.903918336\752508343" -childID 9 -isForBrowser -prefsHandle 6772 -prefMapHandle 6768 -prefsLen 26970 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2849ad73-c30c-4c1d-8ec3-648986ed7d5c} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" 6780 21f59f67e58 tab
    3⤵
    PID:6332
- - C:\Users\Admin\Downloads\ChromeSetup.exe
    "C:\Users\Admin\Downloads\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - NTFS ADS
    PID:6416
  - - C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUMAB63.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={0DF50BE8-7ABF-744E-9A32-A0BFA6A74338}&lang=en&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
      4⤵
      Sets file execution options in registry
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5444
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6976
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4264
      - C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:6184
      - C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:6200
      - C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4260
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4yMDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4yMDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTU5QUEzREYtRjk3Qy00ODk1LTg1REYtQjI3NDE0OUM5QUIwfSIgdXNlcmlkPSJ7NEY1NjVENTAtQ0M0RS00NDQwLThBRTAtODg0MjNEOTNGODAyfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0U0QzIyRkQ1LTM0NjYtNDUxMC04QTcyLTE0MTJENDU2MkY2RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4yMDIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7MERGNTBCRTgtN0FCRi03NDRFLTlBMzItQTBCRkE2QTc0MzM4fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMDg1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3948
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={0DF50BE8-7ABF-744E-9A32-A0BFA6A74338}&lang=en&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{159AA3DF-F97C-4895-85DF-B274149C9AB0}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:6232

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4144
- C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\112.0.5615.138_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\112.0.5615.138_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\guiF1C2.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6972
- - C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\guiF1C2.tmp"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    PID:5952
  - - C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.138 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff62edcfdc8,0x7ff62edcfdd8,0x7ff62edcfde8
      4⤵
      Executes dropped EXE
      PID:1040
  - - C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe" --channel=stable --system-level --verbose-logging --installerdata="C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\guiF1C2.tmp" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:6848
    - - C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{F13D4D75-213A-4132-9914-59F22604725C}\CR_CE4FE.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.138 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff62edcfdc8,0x7ff62edcfdd8,0x7ff62edcfde8
        5⤵
        Executes dropped EXE
        
        PID:6872
- C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4yMDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4yMDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTU5QUEzREYtRjk3Qy00ODk1LTg1REYtQjI3NDE0OUM5QUIwfSIgdXNlcmlkPSJ7Q0YzMjAyRDgtRkRGNC00MTA4LUExQUMtNjIxRjA3RTI2N0NCfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezZERTlCMDA3LTBFMzgtNDE4Ny1BODcxLTc3NUVERkNBRUUyOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTEyLjAuNTYxNS4xMzgiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNjIiIGlpZD0iezBERjUwQkU4LTdBQkYtNzQ0RS05QTMyLUEwQkZBNkE3NDMzOH0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2R3eWVzY3JsMml5YzZwZHFneHBkbHhuY2R1XzExMi4wLjU2MTUuMTM4LzExMi4wLjU2MTUuMTM4X2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSI5MzQ4NjEyMCIgdG90YWw9IjkzNDg2MTIwIiBkb3dubG9hZF90aW1lX21zPSI2MzgyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3MDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzMzQiIGRvd25sb2FkX3RpbWVfbXM9IjgwMjUiIGRvd25sb2FkZWQ9IjkzNDg2MTIwIiB0b3RhbD0iOTM0ODYxMjAiIGluc3RhbGxfdGltZV9tcz0iNTgxMzIiLz48L2FwcD48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYyIiBpbnN0YWxsZGF0ZT0iNTk1MCIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.138 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffea4469a60,0x7ffea4469a70,0x7ffea4469a80
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2664 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4484 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4768 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3112 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4180 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4296 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4920 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4400 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5352 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5192 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5536 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5768 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5244 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5708 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5512 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5356 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5748 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3324 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5292 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1188 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6084 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6348 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6424 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6424 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6428 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6412 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7040 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6572 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6440 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6992 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=2100 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6296 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:2
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=1588 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6700 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5824 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6128 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7284 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=7584 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=7236 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=7848 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=8008 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=3276 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7868 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=7332 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8120 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8052 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7304 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=8124 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=5176 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=5732 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=5952 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=8428 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=8124 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=3340 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=3304 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:7048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=8408 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=5904 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 --field-trial-handle=2016,i,2299830969500151754,13548201839649714533,131072 /prefetch:8
  2⤵
  PID:748
- C:\Users\Admin\Downloads\VMware-workstation-full-17.0.0-20800274.exe
  "C:\Users\Admin\Downloads\VMware-workstation-full-17.0.0-20800274.exe"
  2⤵
  - Looks for VMWare Tools registry key
  - Enumerates connected drives
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe" /Q /norestart
    3⤵
    PID:996
  - - C:\Windows\Temp\{B9BD46ED-5EA0-4FE6-9BD9-C87B708C7D49}\.cr\vcredist_x86.exe
      "C:\Windows\Temp\{B9BD46ED-5EA0-4FE6-9BD9-C87B708C7D49}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=576 /Q /norestart
      4⤵
      Checks computer location settings
      PID:5808
    - - C:\Windows\Temp\{7CC1A8CB-DBB0-411A-AE2B-FD633F928AF1}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{7CC1A8CB-DBB0-411A-AE2B-FD633F928AF1}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{E96E1073-C5BE-4970-A93C-4A5B24088258} {2E35033B-F56C-4CF4-B188-072C45C1192D} 5808
        5⤵
        Adds Run key to start application
        
        PID:2180
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={817e21c1-6b3a-4bc1-8c49-67e4e1887b3a} -burn.filehandle.self=1136 -burn.embedded BurnPipe.{AB71B89E-B0EB-49B2-A916-C0553603D56C} {6735136F-6238-4819-9FDA-79F9C6CC777C} 2180
        6⤵
        
        PID:7084
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={817e21c1-6b3a-4bc1-8c49-67e4e1887b3a} -burn.filehandle.self=1136 -burn.embedded BurnPipe.{AB71B89E-B0EB-49B2-A916-C0553603D56C} {6735136F-6238-4819-9FDA-79F9C6CC777C} 2180
        7⤵
        
        PID:5536
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{010E1DAF-9841-42CC-94FB-E0A03A499C52} {76CB7F09-D0B8-4E67-97D1-7BB348A73298} 5536
        8⤵
        
        PID:2244
- - C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x64.exe" /Q /norestart
    3⤵
    PID:1904
  - - C:\Windows\Temp\{4C8C1E8A-0BE9-40C9-8C84-527CC8991B13}\.cr\vcredist_x64.exe
      "C:\Windows\Temp\{4C8C1E8A-0BE9-40C9-8C84-527CC8991B13}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=220 /Q /norestart
      4⤵
      Checks computer location settings
      PID:3848
    - - C:\Windows\Temp\{51C7E369-C199-40A3-AAFB-7EA9CC2701E5}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{51C7E369-C199-40A3-AAFB-7EA9CC2701E5}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{8CDF2499-1B63-4AA7-87B3-204EECF71669} {75F7EEB2-89D4-44B5-8F1D-FF97E8DB4544} 3848
        5⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3576
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={2d507699-404c-4c8b-a54a-38e352f32cdd} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{EAD13ABE-932D-4F8D-8B00-22E0D466AF02} {0A483852-6484-4B81-B5A5-10F547ABE8E0} 3576
        6⤵
        
        PID:5384
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={2d507699-404c-4c8b-a54a-38e352f32cdd} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{EAD13ABE-932D-4F8D-8B00-22E0D466AF02} {0A483852-6484-4B81-B5A5-10F547ABE8E0} 3576
        7⤵
        
        PID:1600
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D513C387-469C-484F-875A-2E8E4C5C44FE} {E75CC752-C94F-4864-B11D-C7F02D242AEF} 1600
        8⤵
        
        PID:1112

C:\Program Files\Google\Chrome\Application\112.0.5615.138\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\112.0.5615.138\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x340
1⤵
PID:2816

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c
1⤵
PID:4944
- C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler.exe"
  2⤵
  PID:2460
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr
  2⤵
  PID:6440
- C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.202\GoogleCrashHandler64.exe"
  2⤵
  PID:5284
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
  2⤵
  PID:4080

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
1⤵
PID:6468

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:5224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1412

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6DAB4F5287CCAB36C282D94B7BF60EA2 C
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 908
    3⤵
    - Program crash
    PID:5528
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C1EBB716019AAEB696737223B9669442 C
  2⤵
  PID:6140
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E40E946D4E2CE38D1971CB164160DCC
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:6524
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0A9F439C05F05F373D9AACB3310933AB
  2⤵
  PID:5804
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D4517245AADEB05ECC28C90E43694653 E Global\MSI0000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1252
- - C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
    "C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- uninstall usb
    3⤵
    - Drops file in Windows directory
    PID:1980
- - C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
    "C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- install vmusb Win8
    3⤵
    - Drops file in Windows directory
    PID:1972
- - C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe
    "C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe" -- install hcmoninf 5;Win7
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2712
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet0
    3⤵
    PID:4384
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet1
    3⤵
    PID:1944
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet2
    3⤵
    PID:3996
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet3
    3⤵
    PID:1892
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet4
    3⤵
    PID:5784
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet5
    3⤵
    PID:5340
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet6
    3⤵
    PID:6740
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet7
    3⤵
    PID:5496
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet8
    3⤵
    PID:4468
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet9
    3⤵
    PID:6252
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet10
    3⤵
    PID:6272
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet11
    3⤵
    PID:2864
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet12
    3⤵
    PID:7048
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet13
    3⤵
    PID:5252
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet14
    3⤵
    PID:2068
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet15
    3⤵
    PID:4532
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet16
    3⤵
    PID:6484
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet17
    3⤵
    PID:5608
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet18
    3⤵
    PID:2580
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- remove adapter vmnet19
    3⤵
    PID:4324
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- uninstall bridge
    3⤵
    PID:6664
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- uninstall userif 5;None
    3⤵
    PID:4664
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- install bridge
    3⤵
    - Drops file in Drivers directory
    - Registers COM server for autorun
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:6768
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- install userif 5;None
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:212
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- add adapter vmnet1
    3⤵
    - Drops file in System32 directory
    - Checks SCSI registry key(s)
    PID:2012
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- add adapter vmnet8
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:6584
- - C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe
    "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib64.exe" -- install vmx86inf 5;Win8
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:5776
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 773F3B56E8C257B6501D66B5E0389485 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: LoadsDriver
  PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6204 -ip 6204
1⤵
PID:5588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6156
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8\vmusb.inf" "9" "454492f13" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5928
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Workstation\netbridge.inf" "9" "498636d73" "0000000000000178" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\VMware\VMware Workstation"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:6456
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Workstation\netadapter.inf" "9" "4d396c847" "000000000000014C" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files (x86)\VMware\VMware Workstation"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1352
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\VMWARE\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2477c2bb3:VMnetAdapter1.Install:14.0.0.5:*vmnetadapter1," "4cbdd083b" "0000000000000154"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4904
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\VMWARE\0001" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2df34f6ba:VMnetAdapter8.Install:14.0.0.5:*vmnetadapter8," "47eb20b4f" "000000000000017C"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:6152
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf" "9" "4d941d7e3" "000000000000017C" "WinSta0\Default" "000000000000014C" "208" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8"
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:6696
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\VMWVMCIHOSTDEV\0000" "C:\Windows\INF\oem6.inf" "oem6.inf:9c00c72d390d9e8f:vmci.install.x64:9.8.18.0:root\vmwvmcihostdev," "42936a687" "000000000000017C"
  2⤵
  - Drops file in Drivers directory
  - Looks for VMWare drivers on disk
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1552

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {253D8A4B-4DC2-44F8-A77D-FE7A9053916C} 536
1⤵
PID:6312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2584

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {467DBCFD-15DA-429F-9015-EA911650F829} 860
1⤵
PID:4500

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {400743E3-64D0-4236-8B8F-1777B23D7BA1} 940
1⤵
PID:4616

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {FD399325-27FE-49D3-A74B-0FB4E687A257} 952
1⤵
PID:2252

C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
"C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"
1⤵
PID:2084

C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe
"C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:6180
- C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
  "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
  2⤵
  PID:4740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}
1⤵
PID:392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\GetSend.vbe"
1⤵
PID:3308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ba855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

T1081

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion