hxxps://roblox[.]com

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	GamingRepair.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MinecraftInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Skype-8.119.0.201.tmp

Executes dropped EXE 17 IoCs

pid	Process
216	OneDriveSetup.exe
4944	OneDriveSetup.exe
2088	FileSyncConfig.exe
3020	OneDrive.exe
4224	MinecraftInstaller.exe
2120	GamingRepair.exe
4580	Skype-8.119.0.201.exe
5836	Skype-8.119.0.201.tmp
2992	Skype.exe
5816	Skype.exe
3028	Skype.exe
5204	Skype.exe
5872	Skype.exe
2052	Skype.exe
2224	Skype.exe
5240	Skype.exe
5828	Skype.exe

Loads dropped DLL 64 IoCs

pid	Process
2088	FileSyncConfig.exe
2088	FileSyncConfig.exe
2088	FileSyncConfig.exe
2088	FileSyncConfig.exe
2088	FileSyncConfig.exe
2088	FileSyncConfig.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
2992	Skype.exe
5816	Skype.exe
2992	Skype.exe
2992	Skype.exe
3028	Skype.exe
5204	Skype.exe
3028	Skype.exe
3028	Skype.exe
3028	Skype.exe
3028	Skype.exe
5872	Skype.exe
5872	Skype.exe
5872	Skype.exe
2052	Skype.exe
2052	Skype.exe
2052	Skype.exe
2052	Skype.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuthLib.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_CLASSES\WOW6432NODE\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype for Desktop = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 7 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Skype.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-UQ4RH.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-IN5TJ.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-memory-l1-1-0.dll	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\SkypeContext.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-RGQCE.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-V80LH.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-MDI8S.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-FEPUQ.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vulkan-1.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-0HV10.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-2R0A3.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-HKGUC.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-7LB2F.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-24JM1.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\ucrtbase.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-UAM9M.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-KP079.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-process-l1-1-0.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-NBBP0.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-2T33J.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-PL072.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-IDMUF.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-private-l1-1-0.dll	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-timezone-l1-1-0.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-UN98U.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-3HEM7.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\onnxruntime.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-7IMDQ.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-AAUCP.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\is-934AF.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-V99V5.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-9FT1O.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-ATSEM.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-CRQGA.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vcruntime140.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-V45L4.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-UL25P.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\is-ND8VJ.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-H7L8J.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-1VSMR.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-UCUMS.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-8I1AE.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-G7LKI.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-TPLA7.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-conio-l1-1-0.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.dat	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-31HEQ.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-1-0.dll	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\ssScreenVVS2.dll	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-time-l1-1-0.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-TUENQ.tmp	Skype-8.119.0.201.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RTMPLTFM.dll	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-85J1O.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-0B255.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-BEDUG.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-5DJGS.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-OQC74.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-AU4RN.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-81CE3.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-CB3MA.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-FO5M8.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-7FMUM.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-40D2S.tmp	Skype-8.119.0.201.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-IP93I.tmp	Skype-8.119.0.201.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamingRepair.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3936	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601336071313901"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_CLASSES\WOW6432NODE\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\ = "UpToDateUnpinnedOverlayHandler Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ = "IGetSpecialFolderInfoCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1\CLSID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\odopen	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

pid	Process
4004	reg.exe
4220	reg.exe
2128	reg.exe
3836	reg.exe
1708	reg.exe
4024	reg.exe
2408	reg.exe
5656	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Skype.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Skype.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Skype.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4908	OneDrive.exe
3020	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
4908	OneDrive.exe
4908	OneDrive.exe
216	OneDriveSetup.exe
216	OneDriveSetup.exe
216	OneDriveSetup.exe
216	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
4944	OneDriveSetup.exe
3020	OneDrive.exe
3020	OneDrive.exe
2000	chrome.exe
2000	chrome.exe
5612	chrome.exe
5612	chrome.exe
4988	chrome.exe
4988	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
5576	chrome.exe
5576	chrome.exe
5836	Skype-8.119.0.201.tmp
5836	Skype-8.119.0.201.tmp
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe
5816	Skype.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeTcbPrivilege	4800	svchost.exe
Token: SeRestorePrivilege	4800	svchost.exe
Token: SeIncreaseQuotaPrivilege	216	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4944	OneDriveSetup.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe
Token: SeShutdownPrivilege	2000	chrome.exe
Token: SeCreatePagefilePrivilege	2000	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
4908	OneDrive.exe
4908	OneDrive.exe
4908	OneDrive.exe
4908	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
4908	OneDrive.exe
4908	OneDrive.exe
4908	OneDrive.exe
4908	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe
2000	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4908	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
3020	OneDrive.exe
5396	firefox.exe
5396	firefox.exe
5396	firefox.exe
5396	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 812	1976	chrome.exe	80
PID 1976 wrote to memory of 812	1976	chrome.exe	80
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 4392	1976	chrome.exe	81
PID 1976 wrote to memory of 2540	1976	chrome.exe	82
PID 1976 wrote to memory of 2540	1976	chrome.exe	82
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83
PID 1976 wrote to memory of 2984	1976	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://roblox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6ec5ab58,0x7ffc6ec5ab68,0x7ffc6ec5ab78
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:2
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1832,i,14904960508558163836,4367916931793235759,131072 /prefetch:8
  2⤵
  PID:2036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800
- C:\Windows\system32\dashost.exe
  dashost.exe {4c2005d8-6fa1-4f7b-91cc11862452096c}
  2⤵
  PID:1240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4908
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Adds Run key to start application
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2088
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Registers COM server for autorun
      Checks system information in the registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6ec5ab58,0x7ffc6ec5ab68,0x7ffc6ec5ab78
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2324 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3940 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4032 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3516 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4168 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5060 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2044 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5572 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5732 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6080 --field-trial-handle=2144,i,17494147644943598662,493764025336753091,131072 /prefetch:8
  2⤵
  PID:5396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x40c
1⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
"C:\Program Files\Google\Chrome\Application\chrome_proxy.exe" --profile-directory=Default --app-id=agimnkijcaahngcdmfeangaknmldooml
1⤵
PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --source-shortcut="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\YouTube.lnk" --profile-directory=Default --app-id=agimnkijcaahngcdmfeangaknmldooml
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6ec5ab58,0x7ffc6ec5ab68,0x7ffc6ec5ab78
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:2
    3⤵
    PID:5344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:6016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2312 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3624 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3644 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:1
    3⤵
    PID:1832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:1
    3⤵
    PID:5508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4688 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:3736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:4996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:1904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5176 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:5744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=2008,i,2615983365006141491,17256838434067542060,131072 /prefetch:8
    3⤵
    PID:5624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6ec5ab58,0x7ffc6ec5ab68,0x7ffc6ec5ab78
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:2
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4144 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4596 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4384 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5260 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3360 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1940,i,16350575211544561302,5972626869215774849,131072 /prefetch:8
  2⤵
  PID:2364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:5396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.0.1906251930\217496246" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ea06b2-291c-41fb-8859-dbd967c77d48} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 1820 24019b0ac58 gpu
    3⤵
    PID:2908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.1.259505104\1335120201" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab6044ba-3d5a-410c-afaa-207d7a7342d4} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 2388 2400cd8a258 socket
    3⤵
    - Checks processor information in registry
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.2.1171578291\310920448" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2740 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99bae57c-fd32-47fa-b9db-e5d2429cda5b} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 2980 2401c4e6b58 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.3.224718530\873802633" -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9fc61ef-09df-494c-9db1-0b6b776bc194} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 4216 2401ec47c58 tab
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.4.1793962934\736712942" -childID 3 -isForBrowser -prefsHandle 5032 -prefMapHandle 5012 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ce5397-eb46-4560-aad9-6b68a52f5751} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5040 24021083258 tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.5.1441515668\1270222835" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79fbe2e-8372-4365-a02f-8c08b7b5a10f} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5156 24021080b58 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.6.1661873262\103328999" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a1dd3c7-4a9d-4261-9439-32940458a1bf} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5452 24021082358 tab
    3⤵
    PID:6032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.7.855568274\1330822051" -childID 6 -isForBrowser -prefsHandle 5868 -prefMapHandle 5864 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c7d0467-27f1-4a67-9d59-9a382e1bf0c0} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5848 2401c493258 tab
    3⤵
    PID:3584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.8.822769897\1716324059" -childID 7 -isForBrowser -prefsHandle 5136 -prefMapHandle 5056 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce0e573-7627-4a49-9ab9-32a5023fd0fb} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5108 240210bd258 tab
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.9.774587662\1641144227" -childID 8 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dd04f5d-4b6b-4b2e-9906-eeedeef7d9a7} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 6152 240223cb258 tab
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.10.204807118\46437497" -childID 9 -isForBrowser -prefsHandle 3704 -prefMapHandle 4376 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97bd385-3bdf-456d-81d6-98947db6c9da} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 4892 24021e2eb58 tab
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.11.1120820917\638876766" -childID 10 -isForBrowser -prefsHandle 5472 -prefMapHandle 5176 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f2861f4-ac6b-4d0c-93ed-1ddfee145649} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5600 240220c6658 tab
    3⤵
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5396.12.779577752\656377526" -childID 11 -isForBrowser -prefsHandle 6180 -prefMapHandle 5372 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e87f7b-d19e-4f67-af34-bef8d8c61bf3} 5396 "\\.\pipe\gecko-crash-server-pipe.5396" 5848 240223ca058 tab
    3⤵
    PID:4176
- - C:\Users\Admin\Downloads\MinecraftInstaller.exe
    "C:\Users\Admin\Downloads\MinecraftInstaller.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
      "C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft
      4⤵
      Modifies security service
      Executes dropped EXE
      Checks processor information in registry
      PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6ec5ab58,0x7ffc6ec5ab68,0x7ffc6ec5ab78
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:2
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1496
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ae20ae48,0x7ff6ae20ae58,0x7ff6ae20ae68
    3⤵
    PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3284
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ae20ae48,0x7ff6ae20ae58,0x7ff6ae20ae68
    3⤵
    PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4264 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5168 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4592 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2292 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2780 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4524 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3220 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3188 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3144 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3960 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3004 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4904 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4644 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:6060
- C:\Users\Admin\Downloads\Skype-8.119.0.201.exe
  "C:\Users\Admin\Downloads\Skype-8.119.0.201.exe"
  2⤵
  - Executes dropped EXE
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\is-RSEF3.tmp\Skype-8.119.0.201.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RSEF3.tmp\Skype-8.119.0.201.tmp" /SL5="$1102E0,89112581,404480,C:\Users\Admin\Downloads\Skype-8.119.0.201.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5836
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
      4⤵
      Kills process with taskkill
      PID:3936
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies system certificate store
      PID:2992
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=068ebb1a-6131-4e2d-e38c-3c949974a378&uid=068ebb1a-6131-4e2d-e38c-3c949974a378 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.119.0.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x57c,0x580,0x584,0x578,0x588,0x804d2d8,0x804d2e8,0x804d2f4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5816
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3028
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2476 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5204
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5656
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2856 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5872
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
        5⤵
        Modifies registry key
        
        PID:4004
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3060 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype For Desktop"
        5⤵
        Modifies registry key
        
        PID:4220
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\tel\UserChoice /v ProgId
        5⤵
        Modifies registry key
        
        PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCR\\Application /v ApplicationName
        5⤵
        
        PID:1084
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3416 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2224
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
        5⤵
        Modifies registry key
        
        PID:3836
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\tel\UserChoice /v ProgId
        5⤵
        Modifies registry key
        
        PID:1708
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
        5⤵
        Modifies registry key
        
        PID:4024
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCR\\Application /v ApplicationName
        5⤵
        
        PID:5280
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
        5⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
        5⤵
        Modifies registry key
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3792 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:5240
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4080 --field-trial-handle=2224,i,2977475064741405676,5770636385869628853,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5012 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5112 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5728 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5276 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=4352 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4560 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5056 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=3248 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5644 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 --field-trial-handle=1908,i,3508258502925250125,5742657143466881959,131072 /prefetch:8
  2⤵
  PID:6016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4360

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:4316

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

System Information Discovery