1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Snipping Tool = "\"C:\\Users\\Admin\\AppData\\Roaming\\Free Snipping Tool\\App\\Free Snipping Tool.exe\" \"/autoStart\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Snipping Tool Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Free Snipping Tool\\App\\updater.exe\" \"/silentall\" \"-nofreqcheck\" \"-nogui\""	msiexec.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

138 discord.com
208 discord.com
354 discord.com
136 discord.com
137 discord.com

flow	ioc
138	discord.com
208	discord.com
354	discord.com
136	discord.com
137	discord.com

Drops file in System32 directory 16 IoCs

Processes:

AnyDesk.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\vk_swiftshader.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\e0e8d62f-e900-4c1c-b1f6-6cefbe5aacaf.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe613ac6.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\chrome_wer.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\fi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\5f353f8b-7b8b-404e-8c61-0c98c4ffd207.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\a0ae2c7f-7319-4b54-9a93-612b32c12c33.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\f619b248-fa7b-4df7-a6fb-b277c6377027.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\89d6cf7e-d459-4276-aad8-2ea0d6be23d5.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\hr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe60cebe.TMP	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\5f353f8b-7b8b-404e-8c61-0c98c4ffd207.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\sw.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\ta.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\5ebebd8f-446f-455d-8025-751b4123bbc8.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source72_459843010\Chrome-bin\126.0.6478.127\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeupdater.exechrome.exe126.0.6478.127_chrome_installer.exesetup.exeUserOOBEBroker.exeChromeSetup.exesetup.exesetup.exesetup.exesetup.exesetup.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8D8F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\76ed43fc-ce18-405f-a64a-b6ffc4b73996.tmp	updater.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_888850742\Filtering Rules	chrome.exe
File created	C:\Windows\Installer\e648955.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4550EAA1-0259-4456-8397-D033C7A8181C}	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_888850742\_metadata\verified_contents.json	chrome.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5451.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54A2.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBBBBE9772F5F122A.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Windows\Installer\MSI8C35.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4578D312B8A8133D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF01165E8093452D9C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55E0.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF737AEDEAEEF88669.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_888850742\LICENSE.txt	chrome.exe
File opened for modification	C:\Windows\Installer\MSI8C25.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI556E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI557F.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\Google3400_59671669\UPDATER.PACKED.7Z	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\SETUP.EX_	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_662756267\manifest.fingerprint	chrome.exe
File opened for modification	C:\Windows\Installer\MSI8BE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEFF.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\CHROME.PACKED.7Z	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_662756267\_metadata\verified_contents.json	chrome.exe
File opened for modification	C:\Windows\Installer\MSI55BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5450.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_662756267\manifest.json	chrome.exe
File opened for modification	C:\Windows\Installer\MSI5430.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2872_888850742\manifest.json	chrome.exe
File created	C:\Windows\SystemTemp\~DF05A4341896E7CC66.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5472.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\Google3400_57037313\bin\updater.exe	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\_metadata\verified_contents.json	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\~DF729D51DC47047611.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5924_234573434\-8a69d345-d564-463c-aff1-a69d9e530f96-_126.0.6478.127_all_kqgvyxebv4r63jac66435t45xq.crx3	updater.exe
File opened for modification	C:\Windows\Installer\MSI8CA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5462.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\126.0.6478.127_chrome_installer.exe	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\manifest.json	updater.exe

Executes dropped EXE 64 IoCs

Processes:

ChromeSetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exesetup.exesetup.exeupdater.exeupdater.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeXSpammer-Installer.exeXSpammer.exeXSpammer.exeXSpammer.exeXSpammer.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exechrome.exeXSpammer.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3400	ChromeSetup.exe
5664	updater.exe
5700	updater.exe
3464	updater.exe
3516	updater.exe
5924	updater.exe
5932	updater.exe
5384	126.0.6478.127_chrome_installer.exe
72	setup.exe
3048	setup.exe
5308	setup.exe
5304	setup.exe
5252	updater.exe
5056	updater.exe
5584	setup.exe
5792	setup.exe
2052	setup.exe
1620	setup.exe
2872	chrome.exe
5148	chrome.exe
2808	chrome.exe
4280	chrome.exe
6084	chrome.exe
1084	chrome.exe
5552	elevation_service.exe
3552	chrome.exe
4244	chrome.exe
6088	chrome.exe
5564	chrome.exe
4864	chrome.exe
3524	chrome.exe
3052	chrome.exe
5996	chrome.exe
1596	chrome.exe
1908	chrome.exe
5336	chrome.exe
5300	chrome.exe
5872	chrome.exe
1880	chrome.exe
6140	chrome.exe
5484	chrome.exe
5704	chrome.exe
5608	chrome.exe
2660	chrome.exe
1204	chrome.exe
6004	chrome.exe
4864	chrome.exe
1576	XSpammer-Installer.exe
3276	XSpammer.exe
4128	XSpammer.exe
3064	XSpammer.exe
4056	XSpammer.exe
5360	updater.exe
6028	updater.exe
5052	updater.exe
4232	updater.exe
1020	updater.exe
5488	updater.exe
560	chrome.exe
2068	XSpammer.exe
708	chrome.exe
5628	chrome.exe
5788	chrome.exe
4968	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2872	chrome.exe
5148	chrome.exe
2872	chrome.exe
2808	chrome.exe
2808	chrome.exe
4280	chrome.exe
6084	chrome.exe
6084	chrome.exe
1084	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
1084	chrome.exe
4280	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
3552	chrome.exe
3552	chrome.exe
4244	chrome.exe
4244	chrome.exe
6088	chrome.exe
6088	chrome.exe
5564	chrome.exe
5564	chrome.exe
4864	chrome.exe
4864	chrome.exe
3524	chrome.exe
3524	chrome.exe
3052	chrome.exe
3052	chrome.exe
5996	chrome.exe
5996	chrome.exe
1596	chrome.exe
1908	chrome.exe
1596	chrome.exe
5336	chrome.exe
5336	chrome.exe
1908	chrome.exe
5300	chrome.exe
5872	chrome.exe
5872	chrome.exe
5300	chrome.exe
1880	chrome.exe
1880	chrome.exe
6140	chrome.exe
6140	chrome.exe
5484	chrome.exe
5484	chrome.exe
5704	chrome.exe
5704	chrome.exe
5608	chrome.exe
5608	chrome.exe
2660	chrome.exe
2660	chrome.exe
1204	chrome.exe
1204	chrome.exe
6004	chrome.exe
6004	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cb92cce0afe2208d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cb92cce00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cb92cce0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcb92cce0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cb92cce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1100 tasklist.exe

pid	process
1100	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

setup.exechrome.exesvchost.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639074342079414"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

Processes:

updater.exechrome.exeupdater.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\ = "{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\ = "GoogleUpdater TypeLib for IUpdaterCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\TypeLib\ = "{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	updater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ = "IGoogleUpdate3WebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ = "IPolicyStatus4System"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\ = "{0CD01D1E-4A1C-489D-93B9-9B6672877C57}"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\ProxyStubClsid32	updater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\ = "{8476CE12-AE1F-4198-805C-BA0F9B783F57}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\AppID = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\ = "{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\AppID = "{8018F647-BF07-55BB-82BE-A2D7049F7CE4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib	updater.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

chrome.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	chrome.exe

NTFS ADS 5 IoCs

Processes:

XSpammer-Installer.exechrome.exeFree Snipping Tool.exechrome.exechrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\xspammer-updater\installer.exe\:Zone.Identifier:$DATA	XSpammer-Installer.exe
File opened for modification	C:\Users\Admin\Downloads\Free Snipping Tool - 7.6.0.0.msi:Zone.Identifier	chrome.exe
File opened for modification	C:\ProgramData\BrightData\b77cf2bb62ce2b412a461159d601ba4895e98beb\lum_sdk_session_id:LUM:$DATA	Free Snipping Tool.exe
File opened for modification	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\XSpammer-Installer.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

1260 AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AnyDesk.exeAnyDesk.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exeXSpammer-Installer.exetasklist.exeXSpammer.exeupdater.exeupdater.exeupdater.exe

pid	process
3796	AnyDesk.exe
3796	AnyDesk.exe
3796	AnyDesk.exe
3796	AnyDesk.exe
3796	AnyDesk.exe
3796	AnyDesk.exe
4896	AnyDesk.exe
4896	AnyDesk.exe
908	chrome.exe
908	chrome.exe
4052	chrome.exe
4052	chrome.exe
5664	updater.exe
5664	updater.exe
5664	updater.exe
5664	updater.exe
5664	updater.exe
5664	updater.exe
3464	updater.exe
3464	updater.exe
3464	updater.exe
3464	updater.exe
3464	updater.exe
3464	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5252	updater.exe
5252	updater.exe
5252	updater.exe
5252	updater.exe
5252	updater.exe
5252	updater.exe
2872	chrome.exe
2872	chrome.exe
4864	chrome.exe
4864	chrome.exe
1576	XSpammer-Installer.exe
1576	XSpammer-Installer.exe
1100	tasklist.exe
1100	tasklist.exe
4056	XSpammer.exe
4056	XSpammer.exe
4056	XSpammer.exe
4056	XSpammer.exe
5360	updater.exe
5360	updater.exe
5360	updater.exe
5360	updater.exe
5052	updater.exe
5052	updater.exe
5052	updater.exe
5052	updater.exe
1020	updater.exe
1020	updater.exe
1020	updater.exe
1020	updater.exe
1020	updater.exe
1020	updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AnyDesk.exe

pid process

2236 AnyDesk.exe

pid	process
2236	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AnyDesk.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	3796	AnyDesk.exe
Token: 33	3716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3716	AUDIODG.EXE
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AnyDesk.exechrome.exechrome.exe

pid	process
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of SendNotifyMessage 58 IoCs

Processes:

AnyDesk.exechrome.exechrome.exechrome.exeFree Snipping Tool.exe

pid	process
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2948	Free Snipping Tool.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe
1260	AnyDesk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AnyDesk.exechrome.exe

pid process

2236 AnyDesk.exe
2236 AnyDesk.exe
560 chrome.exe

pid	process
2236	AnyDesk.exe
2236	AnyDesk.exe
560	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exechrome.exe

description	pid	process	target process
PID 4896 wrote to memory of 3796	4896	AnyDesk.exe	AnyDesk.exe
PID 4896 wrote to memory of 3796	4896	AnyDesk.exe	AnyDesk.exe
PID 4896 wrote to memory of 3796	4896	AnyDesk.exe	AnyDesk.exe
PID 4896 wrote to memory of 1260	4896	AnyDesk.exe	AnyDesk.exe
PID 4896 wrote to memory of 1260	4896	AnyDesk.exe	AnyDesk.exe
PID 4896 wrote to memory of 1260	4896	AnyDesk.exe	AnyDesk.exe
PID 908 wrote to memory of 1460	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 1460	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 2396	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3024	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3024	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe
PID 908 wrote to memory of 3612	908	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4952

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4840

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5f63ab58,0x7fff5f63ab68,0x7fff5f63ab78
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4188 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4148 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5180
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6f7adae48,0x7ff6f7adae58,0x7ff6f7adae68
    3⤵
    PID:5196
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5396
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6f7adae48,0x7ff6f7adae58,0x7ff6f7adae68
    3⤵
    PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5124 --field-trial-handle=1792,i,6065947067590317910,13516568723251620716,131072 /prefetch:1
  2⤵
  PID:5556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5f63ab58,0x7fff5f63ab68,0x7fff5f63ab78
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4284 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4540 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4900 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 --field-trial-handle=1804,i,13206351300044406418,5279341957846476710,131072 /prefetch:8
  2⤵
  PID:3104
- C:\Users\Admin\Downloads\ChromeSetup.exe
  "C:\Users\Admin\Downloads\ChromeSetup.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:3400
- - C:\Windows\SystemTemp\Google3400_57037313\bin\updater.exe
    "C:\Windows\SystemTemp\Google3400_57037313\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A1A3DB29-9B6B-2D5D-3AEF-345833085CDC}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Checks whether UAC is enabled
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5664
  - - C:\Windows\SystemTemp\Google3400_57037313\bin\updater.exe
      C:\Windows\SystemTemp\Google3400_57037313\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x1232604,0x1232610,0x123261c
      4⤵
      Executes dropped EXE
      PID:5700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1992

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3464
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:3516

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5924
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:5932
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\126.0.6478.127_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\76ed43fc-ce18-405f-a64a-b6ffc4b73996.tmp"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:5384
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\76ed43fc-ce18-405f-a64a-b6ffc4b73996.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    PID:72
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff64e4f46a8,0x7ff64e4f46b4,0x7ff64e4f46c0
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:3048
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:5308
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5924_848394637\CR_30A3D.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff64e4f46a8,0x7ff64e4f46b4,0x7ff64e4f46c0
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:5304

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5252
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:5584
- - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff62c7546a8,0x7ff62c7546b4,0x7ff62c7546c0
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:5792
- - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:2052
  - - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff62c7546a8,0x7ff62c7546b4,0x7ff62c7546c0
      4⤵
      Executes dropped EXE
      PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks system information in the registry
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5f2b1c70,0x7fff5f2b1c7c,0x7fff5f2b1c88
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2072,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=2144 /prefetch:11
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2260,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=2256 /prefetch:13
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4836,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4888 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4900,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5036 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4976,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4948 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5388,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5520,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5448,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3240,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5084 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4964,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5340 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5736,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5748 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5724,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5880 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5852,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4696 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4552,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5332,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4664 /prefetch:12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=3268,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5832 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5328,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5820 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - NTFS ADS
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3332,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3488,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5916 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5704,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6044 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1176,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5976 /prefetch:10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4932,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4744 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=4904,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6052,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6240,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6228 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5868,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6260 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6252,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=5744,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6092,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6512,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6324,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6504 /prefetch:14
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4796,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6728 /prefetch:14
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=5812,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6284,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6356,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6684,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6956,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6932 /prefetch:14
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5916,i,6403505014694662516,5467135915564094394,262144 --variations-seed-version=20240626-050141.435000 --mojo-platform-channel-handle=6204 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3296
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Free Snipping Tool - 7.6.0.0.msi"
  2⤵
  - Enumerates connected drives
  PID:5492

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:5500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5276

C:\Users\Admin\Downloads\XSpammer-Installer.exe
"C:\Users\Admin\Downloads\XSpammer-Installer.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq XSpammer.exe" | %SYSTEMROOT%\System32\find.exe "XSpammer.exe"
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq XSpammer.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    PID:1100
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find.exe "XSpammer.exe"
    3⤵
    PID:3276

C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe"
1⤵
- Executes dropped EXE
PID:3276
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 --field-trial-handle=1644,i,2905756478852502072,8577617209998681963,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes=app --fetch-schemes=app --service-worker-schemes=app --streaming-schemes --mojo-platform-channel-handle=1892 --field-trial-handle=1644,i,2905756478852502072,8577617209998681963,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes=app --fetch-schemes=app --service-worker-schemes=app --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\xspammer\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2416 --field-trial-handle=1644,i,2905756478852502072,8577617209998681963,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2576 --field-trial-handle=1644,i,2905756478852502072,8577617209998681963,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:2068

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --wake --system
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5360
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:6028

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5052
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x27c,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:4232

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1020
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a2604,0x6a2610,0x6a261c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:5488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
PID:5176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7EB4557AC4396626FB5055BB2586A7FB C
  2⤵
  PID:5804
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 938B41AD7096CBC44B529A022D441C81
  2⤵
  PID:3132
- C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe
  "C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe" /autoStart
  2⤵
  - NTFS ADS
  - Suspicious use of SendNotifyMessage
  PID:2948
- - C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe
    "C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe" "/silentall" "-nofreqcheck" "-nogui"
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe" /install silentall "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.ini"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\RSpark, Limited Liability Company\Free Snipping Tool\updates\updates\Free Snipping Tool - 7.6.0.0.msi" /qn
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{CEA3679E-9D26-44D5-B243-1FAA0460EAEB}..bat" "
        5⤵
        
        PID:4752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\{CEA3679E-9D26-44D5-B243-1FAA0460EAEB}..bat" "
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        6⤵
        
        PID:1276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 42B61458F0E0AEF9C2B4ECECEAE10D7E
  2⤵
  PID:5132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery