9bb9b429599af896e15e17f93bd828d8917cffaff40b6107b47dfb6972b59145

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 38 IoCs

Processes:

ChromeSetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe125.0.6422.113_chrome_installer.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

pid	process
3648	ChromeSetup.exe
1440	updater.exe
2436	updater.exe
3480	updater.exe
2416	updater.exe
4668	updater.exe
2908	updater.exe
3492	125.0.6422.113_chrome_installer.exe
1396	setup.exe
1584	setup.exe
1052	setup.exe
2852	setup.exe
4956	setup.exe
1620	setup.exe
2172	setup.exe
1588	setup.exe
4188	chrome.exe
3936	chrome.exe
2448	chrome.exe
3560	chrome.exe
2324	chrome.exe
1460	chrome.exe
428	chrome.exe
4920	chrome.exe
1968	elevation_service.exe
4792	chrome.exe
4628	chrome.exe
1804	chrome.exe
4180	chrome.exe
2212	chrome.exe
2396	chrome.exe
4340	chrome.exe
1144	updater.exe
924	updater.exe
4296	updater.exe
3136	updater.exe
3260	updater.exe
4216	updater.exe

Loads dropped DLL 38 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4188	chrome.exe
3936	chrome.exe
4188	chrome.exe
2448	chrome.exe
3560	chrome.exe
2324	chrome.exe
2448	chrome.exe
2324	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
3560	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
1460	chrome.exe
428	chrome.exe
428	chrome.exe
1460	chrome.exe
4920	chrome.exe
4920	chrome.exe
4792	chrome.exe
4792	chrome.exe
4628	chrome.exe
4628	chrome.exe
1804	chrome.exe
1804	chrome.exe
4180	chrome.exe
4180	chrome.exe
2212	chrome.exe
2212	chrome.exe
2396	chrome.exe
2396	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.113\\notification_helper.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeupdater.exeupdater.exeupdater.exeupdater.exechrome.exeupdater.exeupdater.exe125.0.6422.113_chrome_installer.exeupdater.exesetup.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe7aa27f.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\chrome_elf.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\hr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\pl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\_metadata\verified_contents.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4188_1107217674\crl-set	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\ar.pak	setup.exe
File created	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\uninstall.cmd	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\es-419.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\049e1507-b4a2-42ac-883c-d9dfa5a62ad2.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\c69430fb-7a2f-4858-8b1d-bcb9c019a6d6.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\uninstall.cmd	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\5987071f-27c2-4055-b706-6aa6ea386535.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe7fe1c2.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\fc212e4a-39a7-43d8-972e-1f96ca6d8457.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\VisualElements\Logo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\nl.pak	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\CHROME.PACKED.7Z	125.0.6422.113_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\he.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4188_538247605\_metadata\verified_contents.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\9f738625-0179-4b5e-833c-eeb4a89bc849.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\chrome_wer.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\notification_helper.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\f654ad0a-0959-4620-97d3-beafac63f1ae.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1396_337165180\Chrome-bin\125.0.6422.113\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4188_538247605\manifest.json	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

chrome.exesetup.exesvchost.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609970527855824"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe

Modifies registry class 64 IoCs

Processes:

updater.exeupdater.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ = "IAppVersionWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DF978A78-4301-5160-9D81-9DA6EED2B58F}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ServiceParameters = "--com-service"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\ = "{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DF978A78-4301-5160-9D81-9DA6EED2B58F}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4168B26-4DAC-5948-8F80-84C2235AD469}\TypeLib\ = "{B4168B26-4DAC-5948-8F80-84C2235AD469}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{7AA668AD-44C9-562C-B3B0-104376A71AFE}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\127.0.6490.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0	updater.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exe

pid	process
4132	chrome.exe
4132	chrome.exe
4740	chrome.exe
4740	chrome.exe
4572	chrome.exe
4572	chrome.exe
1440	updater.exe
1440	updater.exe
1440	updater.exe
1440	updater.exe
1440	updater.exe
1440	updater.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4668	updater.exe
4188	chrome.exe
4188	chrome.exe
4340	chrome.exe
4340	chrome.exe
1144	updater.exe
1144	updater.exe
1144	updater.exe
1144	updater.exe
4296	updater.exe
4296	updater.exe
4296	updater.exe
4296	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe
3260	updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exechrome.exechrome.exe

description	pid	process
Token: SeTcbPrivilege	3636	svchost.exe
Token: SeRestorePrivilege	3636	svchost.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe
Token: SeShutdownPrivilege	4740	chrome.exe
Token: SeCreatePagefilePrivilege	4740	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SystemSettingsAdminFlows.exechrome.exechrome.exe

pid	process
4184	SystemSettingsAdminFlows.exe
4184	SystemSettingsAdminFlows.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4740	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SystemSettingsAdminFlows.exe

pid process

4184 SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost.exechrome.exe

description	pid	process	target process
PID 3636 wrote to memory of 3948	3636	svchost.exe	dashost.exe
PID 3636 wrote to memory of 3948	3636	svchost.exe	dashost.exe
PID 4132 wrote to memory of 616	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 616	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1020	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 4264	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 4264	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe
PID 4132 wrote to memory of 1892	4132	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Firework Stars.png"
1⤵
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\dashost.exe
dashost.exe {c5a9bbd2-9038-4bf9-921f7c143fb34c1e}
2⤵
PID:3948

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc772ab58,0x7ffcc772ab68,0x7ffcc772ab78
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:2
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:1
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:1
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:1
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1940,i,1051257069472655644,14960199732856779956,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff76f16ae48,0x7ff76f16ae58,0x7ff76f16ae68
3⤵
PID:1136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc772ab58,0x7ffcc772ab68,0x7ffcc772ab78
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:2
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4936 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5116 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3292 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3120 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3320 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2448 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5236 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5584 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5856 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5892 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6124 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6196 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6368 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5824 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6756 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6168 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7208 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7352 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4404 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:1
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3196 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4164 --field-trial-handle=1868,i,13322052407835254020,2289679118513042772,131072 /prefetch:8
2⤵
PID:4836

C:\Users\Admin\Downloads\ChromeSetup.exe
"C:\Users\Admin\Downloads\ChromeSetup.exe"
2⤵
- Executes dropped EXE
PID:3648

C:\Program Files (x86)\Google3648_1262361577\bin\updater.exe
"C:\Program Files (x86)\Google3648_1262361577\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={61A591E5-F7C7-72BC-07C8-F520FDF6DF9F}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Program Files (x86)\Google3648_1262361577\bin\updater.exe
"C:\Program Files (x86)\Google3648_1262361577\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xb8758c,0xb87598,0xb875a4
4⤵
- Executes dropped EXE
PID:2436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x504
1⤵
PID:2352

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10f758c,0x10f7598,0x10f75a4
2⤵
- Executes dropped EXE
PID:2416

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10f758c,0x10f7598,0x10f75a4
2⤵
- Executes dropped EXE
PID:2908

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\125.0.6422.113_chrome_installer.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\a07ead26-55e3-4f4c-a3a6-98d30ca53f01.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3492

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\a07ead26-55e3-4f4c-a3a6-98d30ca53f01.tmp"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1396

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff617952698,0x7ff6179526a4,0x7ff6179526b0
4⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1052

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4668_449800288\CR_EBA59.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff617952698,0x7ff6179526a4,0x7ff6179526b0
5⤵
- Executes dropped EXE
PID:2852

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
2⤵
- Executes dropped EXE
PID:4956

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7e6592698,0x7ff7e65926a4,0x7ff7e65926b0
3⤵
- Executes dropped EXE
PID:1620

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
3⤵
- Executes dropped EXE
PID:2172

C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7e6592698,0x7ff7e65926a4,0x7ff7e65926b0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc772ab58,0x7ffcc772ab68,0x7ffcc772ab78
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1912,i,11235782091625587535,15775976418944222858,131072 /prefetch:2
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1912,i,11235782091625587535,15775976418944222858,131072 /prefetch:8
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.113 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcba841c70,0x7ffcba841c7c,0x7ffcba841c88
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2032 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1936,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2084 /prefetch:3
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2288,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=2304 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3192 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3216 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4444 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4784 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4988,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4924 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5060,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=4896 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4944,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5040 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3212,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=3220 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5108,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5040 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5184,i,8707012640067803013,1095633289572012485,262144 --variations-seed-version=20240523-050130.357000 --mojo-platform-channel-handle=5036 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.113\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2628

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --wake --system
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10f758c,0x10f7598,0x10f75a4
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:924

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10f758c,0x10f7598,0x10f75a4
2⤵
- Executes dropped EXE
PID:3136

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\127.0.6490.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=127.0.6490.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10f758c,0x10f7598,0x10f75a4
2⤵
- Executes dropped EXE
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery