9bb9b429599af896e15e17f93bd828d8917cffaff40b6107b47dfb6972b59145

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

chrome.exeMicrosoft Remote Desktop Installer.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Microsoft Remote Desktop Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 59 IoCs

Processes:

ChromeSetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe125.0.6422.113_chrome_installer.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeMicrosoft Remote Desktop Installer.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
5284	ChromeSetup.exe
1924	updater.exe
4420	updater.exe
1116	updater.exe
3664	updater.exe
1852	updater.exe
5968	updater.exe
3532	125.0.6422.113_chrome_installer.exe
4484	setup.exe
5572	setup.exe
3484	setup.exe
5336	setup.exe
4068	setup.exe
2336	setup.exe
2548	setup.exe
1252	setup.exe
724	chrome.exe
6092	chrome.exe
4036	chrome.exe
2916	chrome.exe
1544	chrome.exe
4944	chrome.exe
6048	chrome.exe
3292	chrome.exe
4476	elevation_service.exe
5184	chrome.exe
1012	chrome.exe
2740	chrome.exe
948	chrome.exe
4424	chrome.exe
1920	chrome.exe
5284	chrome.exe
1212	chrome.exe
3964	chrome.exe
5604	chrome.exe
4100	chrome.exe
2680	chrome.exe
3924	chrome.exe
3024	chrome.exe
5184	Microsoft Remote Desktop Installer.exe
5808	updater.exe
5388	updater.exe
4808	updater.exe
1928	updater.exe
2892	updater.exe
5796	updater.exe
2360	chrome.exe
748	chrome.exe
1792	chrome.exe
2192	chrome.exe
3280	chrome.exe
5716	chrome.exe
4944	chrome.exe
640	elevation_service.exe
116	chrome.exe
2604	chrome.exe
4748	chrome.exe
960	chrome.exe
448	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
724	chrome.exe
6092	chrome.exe
724	chrome.exe
4036	chrome.exe
2916	chrome.exe
2916	chrome.exe
4036	chrome.exe
1544	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
1544	chrome.exe
6048	chrome.exe
4944	chrome.exe
6048	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4944	chrome.exe
3292	chrome.exe
3292	chrome.exe
5184	chrome.exe
5184	chrome.exe
1012	chrome.exe
1012	chrome.exe
2740	chrome.exe
2740	chrome.exe
948	chrome.exe
948	chrome.exe
4424	chrome.exe
4424	chrome.exe
1920	chrome.exe
1920	chrome.exe
5284	chrome.exe
5284	chrome.exe
1212	chrome.exe
1212	chrome.exe
3964	chrome.exe
5604	chrome.exe
3964	chrome.exe
5604	chrome.exe
4100	chrome.exe
4100	chrome.exe
2680	chrome.exe
2680	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3924	chrome.exe
3024	chrome.exe
3024	chrome.exe
2360	chrome.exe
748	chrome.exe
2360	chrome.exe
1792	chrome.exe
2192	chrome.exe
1792	chrome.exe
2192	chrome.exe
3280	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
3280	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\notification_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

updater.exeupdater.exe125.0.6422.113_chrome_installer.exesetup.exechrome.exesetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeChromeSetup.exeupdater.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5943f5.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe	125.0.6422.113_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\kn.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping724_200507994\manifest.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\nb.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5dfb4b.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\b5e0d293-565a-4e53-9834-c68fe1083d8e.tmp	updater.exe
File created	C:\Program Files (x86)\Google5284_366045745\bin\uninstall.cmd	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe596bef.TMP	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\125.0.6422.113_chrome_installer.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\ms.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\ba3276f6-895b-4a87-be5b-fa4c2b854385.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	ChromeSetup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\_metadata\verified_contents.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe	125.0.6422.113_chrome_installer.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\f19fa6ee-5946-4ce8-b259-d67f3cb067a5.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\uninstall.cmd	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\manifest.fingerprint	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\ru.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\lt.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4484_827471442\Chrome-bin\125.0.6422.113\Locales\pt-PT.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RdClient.Windows.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RdClient.Windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RdClient.Windows.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeRdClient.Windows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RdClient.Windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	RdClient.Windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RdClient.Windows.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

setup.exesvchost.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609921919922921"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

Processes:

updater.exesetup.exeupdater.exeRdClient.Windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\ = "{D106AB5F-A70E-400E-A21B-96208C1D8DBB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ = "IGoogleUpdate3WebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\LocalService = "GoogleUpdaterService127.0.6490.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\ = "{247954F9-9EDC-4E68-8CC3-150C2B89EADF}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus3"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\ = "GoogleUpdater TypeLib for IUpdaterSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\Elevation	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\ = "{ACAB122B-29C0-56A9-8145-AFA2F82A547C}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\ = "GoogleUpdater TypeLib for IAppCommandWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B4168B26-4DAC-5948-8F80-84C2235AD469}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ = "ICurrentStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncherSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\MuiCache	RdClient.Windows.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\ = "GoogleUpdater TypeLib for IUpdaterCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RdClient.Windows.exe

pid process

1920 RdClient.Windows.exe

pid	process
1920	RdClient.Windows.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

chrome.exechrome.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exemsedge.exechrome.exechrome.exemsedge.exe

pid	process
4792	chrome.exe
4792	chrome.exe
6136	chrome.exe
6136	chrome.exe
1924	updater.exe
1924	updater.exe
1924	updater.exe
1924	updater.exe
1924	updater.exe
1924	updater.exe
1116	updater.exe
1116	updater.exe
1116	updater.exe
1116	updater.exe
1116	updater.exe
1116	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
1852	updater.exe
724	chrome.exe
724	chrome.exe
3924	chrome.exe
3924	chrome.exe
5808	updater.exe
5808	updater.exe
5808	updater.exe
5808	updater.exe
4808	updater.exe
4808	updater.exe
4808	updater.exe
4808	updater.exe
2892	updater.exe
2892	updater.exe
2892	updater.exe
2892	updater.exe
2892	updater.exe
2892	updater.exe
4344	msedge.exe
4344	msedge.exe
2892	updater.exe
2892	updater.exe
2360	chrome.exe
2360	chrome.exe
448	chrome.exe
448	chrome.exe
4408	msedge.exe
4408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	4792	chrome.exe
Token: SeCreatePagefilePrivilege	4792	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe
Token: SeShutdownPrivilege	6136	chrome.exe
Token: SeCreatePagefilePrivilege	6136	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
724	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
4792	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

RdClient.Windows.exeSystemSettingsAdminFlows.exe

pid process

1920 RdClient.Windows.exe
1920 RdClient.Windows.exe
1920 RdClient.Windows.exe
1568 SystemSettingsAdminFlows.exe

pid	process
1920	RdClient.Windows.exe
1920	RdClient.Windows.exe
1920	RdClient.Windows.exe
1568	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4792 wrote to memory of 2984	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 2984	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 5804	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 2932	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 2932	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe
PID 4792 wrote to memory of 1380	4792	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Firework Stars.png"
1⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad34cab58,0x7ffad34cab68,0x7ffad34cab78
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:2
2⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:1
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3284 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:1
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3988 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:8
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4232 --field-trial-handle=1904,i,17122540800508501984,693785025180854193,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x244,0x260,0x7ff76bdfae48,0x7ff76bdfae58,0x7ff76bdfae68
3⤵
PID:2936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff76bdfae48,0x7ff76bdfae58,0x7ff76bdfae68
3⤵
PID:2000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad34cab58,0x7ffad34cab68,0x7ffad34cab78
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:2
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:1
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:1
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4200 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:1
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5096 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4148 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:1
2⤵
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 --field-trial-handle=1924,i,1298277843333847659,12998235895692140922,131072 /prefetch:8
2⤵
PID:4476

C:\Users\Admin\Downloads\ChromeSetup.exe
"C:\Users\Admin\Downloads\ChromeSetup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5284

C:\Program Files (x86)\Google5284_366045745\bin\updater.exe
"C:\Program Files (x86)\Google5284_366045745\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={64E97967-8FA2-1C69-255A-BDBF8FF45A0F}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Program Files (x86)\Google5284_366045745\bin\updater.exe
"C:\Program Files (x86)\Google5284_366045745\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xd9758c,0xd97598,0xd975a4
4⤵
- Executes dropped EXE
PID:4420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1116

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xfa758c,0xfa7598,0xfa75a4
2⤵
- Executes dropped EXE
PID:3664

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x258,0x284,0xfa758c,0xfa7598,0xfa75a4
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5968

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\125.0.6422.113_chrome_installer.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\fc006bff-7932-4921-8c81-bee2a60ed8b8.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3532

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\fc006bff-7932-4921-8c81-bee2a60ed8b8.tmp"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:4484

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7df5e2698,0x7ff7df5e26a4,0x7ff7df5e26b0
4⤵
- Executes dropped EXE
PID:5572

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3484

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1852_1780756738\CR_7D502.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7df5e2698,0x7ff7df5e26a4,0x7ff7df5e26b0
5⤵
- Executes dropped EXE
PID:5336

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
2⤵
- Executes dropped EXE
PID:4068

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6d0e02698,0x7ff6d0e026a4,0x7ff6d0e026b0
3⤵
- Executes dropped EXE
PID:2336

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2548

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6d0e02698,0x7ff6d0e026a4,0x7ff6d0e026b0
4⤵
- Executes dropped EXE
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffad34cab58,0x7ffad34cab68,0x7ffad34cab78
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1908,i,1700757789930354156,17915754318387505009,131072 /prefetch:2
2⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1908,i,1700757789930354156,17915754318387505009,131072 /prefetch:8
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffacfa51c70,0x7ffacfa51c7c,0x7ffacfa51c88
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2040 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1800,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2288,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2280 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3200 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3240 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4532 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4752,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4820 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3780,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3740 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5020,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5096 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5124,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5100 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3208,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5256 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3392,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3440 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3180,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3384 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4520,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3228 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5768,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3440 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5756,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4740 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=4584,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=6112 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5724,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5920 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6024,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=6028 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6112,i,7880505463287050955,4989101239897144369,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5336 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024

C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:1564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

C:\Users\Admin\Downloads\Microsoft Remote Desktop Installer.exe
"C:\Users\Admin\Downloads\Microsoft Remote Desktop Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5184

C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_10.2.3012.0_x64__8wekyb3d8bbwe\RdClient.Windows.exe
"C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_10.2.3012.0_x64__8wekyb3d8bbwe\RdClient.Windows.exe" -ServerName:App.AppXy6vfcz2ffwpss4e0b6aa4q1y6ab9bf27.mca
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --wake --system
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5808

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xfa758c,0xfa7598,0xfa75a4
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5388

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xfa758c,0xfa7598,0xfa75a4
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1928

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x258,0x284,0xfa758c,0xfa7598,0xfa75a4
2⤵
- Executes dropped EXE
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultfabde567h45a7h43d4ha5fch4046200a7132
1⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffacebf46f8,0x7ffacebf4708,0x7ffacebf4718
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,8658412734477010997,5892814834018842899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,8658412734477010997,5892814834018842899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,8658412734477010997,5892814834018842899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
2⤵
PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffacfa51c70,0x7ffacfa51c7c,0x7ffacfa51c88
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=1980 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1972,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2024 /prefetch:3
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2288,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2508 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3132 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4556 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4756,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
- Executes dropped EXE
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4736,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
- Executes dropped EXE
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4948,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
- Executes dropped EXE
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1124,i,12099055230664805027,8133039823878529290,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=868 /prefetch:8
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1a0ebab7h84e6h4059hb2f4h9bccbf0eb1f6
1⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffacebf46f8,0x7ffacebf4708,0x7ffacebf4718
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,3253988803480234037,4125507518156339165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
2⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,3253988803480234037,4125507518156339165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,3253988803480234037,4125507518156339165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
2⤵
PID:1796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery