xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4472	powershell.exe
4972	powershell.exe
4308	powershell.exe
4632	powershell.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\battc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BTHUSB.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\devauthe.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\UmBus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wacompen.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\luafv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb10.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\werkernel.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\hidclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\filecrypt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netbt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\urscx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WindowsTrustedRT.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\EhStorPwdDrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\iorate.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gpuenergydrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mssecflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdfLdr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volmgrx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mslldp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sdbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sfloppy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\stornvme.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UevAgentDriver.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storqosflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volume.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms1.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\isapnp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nsiproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\xinputhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mmcss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ipnat.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mausbip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\Microsoft.Bluetooth.Profiles.HidOverGatt.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msrpc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\umbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\synth3dvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\irenum.sys	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Checks computer location settings 2 TTPs 36 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	chrome.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
2452	svhost.exe
4960	svhost.exe
4888	svhost.exe
1788	svhost.exe
1356	svhost.exe
4680	svhost.exe
4668	svhost.exe
4284	svhost.exe
4156	rojmhh.exe
5084	updater.exe
1784	updater.exe
592	updater.exe
4068	updater.exe
2340	updater.exe
1832	updater.exe
2148	126.0.6478.127_chrome_installer.exe
316	setup.exe
2292	setup.exe
3988	setup.exe
920	setup.exe
4288	chrome.exe
2436	chrome.exe
3628	chrome.exe
4180	chrome.exe
424	chrome.exe
408	chrome.exe
2268	chrome.exe
1896	chrome.exe
3092	chrome.exe
1348	elevation_service.exe
5020	chrome.exe
3868	chrome.exe
5032	chrome.exe
4016	chrome.exe
3624	chrome.exe
2116	chrome.exe
4380	chrome.exe
968	chrmstp.exe
208	chrmstp.exe
2944	chrmstp.exe
2544	chrmstp.exe
3012	chrome.exe
3788	chrome.exe
4304	chrome.exe
948	chrome.exe
4896	chrome.exe
4888	chrome.exe
4132	chrome.exe
520	chrome.exe
436	chrome.exe
4216	chrome.exe
3928	chrome.exe
3624	chrome.exe
3112	chrome.exe
5768	chrome.exe
4848	chrome.exe
5460	chrome.exe
5288	chrome.exe
4308	chrome.exe
5368	chrome.exe
5808	chrome.exe
5820	chrome.exe
1880	chrome.exe
1796	chrome.exe

Loads dropped DLL 64 IoCs

pid	Process
4288	chrome.exe
2436	chrome.exe
4288	chrome.exe
3628	chrome.exe
4180	chrome.exe
3628	chrome.exe
4180	chrome.exe
424	chrome.exe
424	chrome.exe
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe
3628	chrome.exe
408	chrome.exe
408	chrome.exe
2268	chrome.exe
2268	chrome.exe
1896	chrome.exe
1896	chrome.exe
3092	chrome.exe
3092	chrome.exe
5020	chrome.exe
5020	chrome.exe
3868	chrome.exe
3868	chrome.exe
5032	chrome.exe
5032	chrome.exe
4016	chrome.exe
4016	chrome.exe
3624	chrome.exe
2116	chrome.exe
3624	chrome.exe
2116	chrome.exe
4380	chrome.exe
4380	chrome.exe
3788	chrome.exe
4304	chrome.exe
4304	chrome.exe
3788	chrome.exe
3012	chrome.exe
3012	chrome.exe
948	chrome.exe
948	chrome.exe
4896	chrome.exe
4888	chrome.exe
4896	chrome.exe
4888	chrome.exe
4132	chrome.exe
520	chrome.exe
436	chrome.exe
436	chrome.exe
520	chrome.exe
4216	chrome.exe
3928	chrome.exe
4216	chrome.exe
3928	chrome.exe
3624	chrome.exe
3112	chrome.exe
3624	chrome.exe
3112	chrome.exe
4132	chrome.exe
5768	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AM6020~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4B40~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4F04~2.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA2CB~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM690B~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM11AF~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDDAD~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\X86617~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM664C~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1C0B~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDE56~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7BFB~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC6FC~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA4BE~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9DBE~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7077~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4552~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM59AD~2.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0935~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3D76~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4CF3~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9F84~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD94D~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2B68~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD7B5~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0E5E~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM63CB~1.0_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3085~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6528~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4D7C~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0683~1.0_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0743~1.0_N\Desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\X83420~1.0_N\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NETATH~2.INF\eeprom_qca9377_1p1_NFA435_olpc_A.bin	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\btpanui.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\twinui.appcore.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Windows.System.Launcher.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\appraiser.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\cic.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\tasklist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\SYSTEM~1\ja-JP\RjvClassicApp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIASA0~1.INF\amd64\SA216X.icc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\wdma_usb.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\FileHistory.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WINDOW~1\v1.0\Modules\PSDESI~1\DSCRES~1\SERVIC~1\ServiceSet.psd1	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNLXC~1.INF\LXclVBW.XML	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\msimsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wer.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NTPRIN~1.INF\Amd64\PS_SCHM.GDL	cmd.exe
File opened for modification	C:\Windows\System32\en-US\DpiScaling.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\he-IL\fms.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\REPLAC~1\Microsoft-Windows-ServerManager-RSAT-RoleTools-Replacement.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\pt-BR\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\fingerprintcredential.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\wpd_ci.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\perfdisk.dll	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\Modules\WINDOW~3\ja\Microsoft.WindowsSearch.Commands.Resources.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\DefaultPrinterProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\mciseq.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\credprovs.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\SystemPropertiesProtection.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\F12\en-US\F12Platform2.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\elscore.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rnr20.dll	cmd.exe
File opened for modification	C:\Windows\System32\compact.exe	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\webclnt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Dism\fr-FR\DmiProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMERI~2.INF\mdmeric2.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNDLC~1.INF\deCP6-manifest.ini	cmd.exe
File opened for modification	C:\Windows\System32\slr100.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\dnscmmc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\lpasvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\microsoft-windows-storage-tiering-events.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\PlayToStatusProvider.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\localsec.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\userinitext.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wdmaud.drv.mui	cmd.exe
File opened for modification	C:\Windows\System32\acppage.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\ncryptprov.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Sysprep\ACTION~1\GENERA~1.XML	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\GCDEF.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\hidserv.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\oledlg.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ndishc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\urlmon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\capimg.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\Mup-DL.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Picker.dll	cmd.exe
File opened for modification	C:\Windows\System32\VEDataLayerHelpers.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\CredentialMigrationHandler.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ctfmon.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\certmgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\w32tm.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\systeminfo.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\AuthExt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\tsmf.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI7B67~1.0_X\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI0911~1.0_X\LUMIA~1.VID\AlphaBlendingEffectPS_Y.cso	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIE984~1.0_X\Assets\SECOND~1\TRAFFI~1\CONTRA~2\SmallTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MICROS~3.0_X\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\Assets\HOWTOP~1\Spider\Goal_40.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\CONTRA~1\HxA-Advanced-Light.scale-150.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI7B67~1.0_X\Microsoft.Xbox.SmartGlass.winmd	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\System.Speech.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MICROS~1.0_X\Assets\MANIFE~1\CONTRA~2\SplashScreen.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\Bears.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI20CB~1.0_X\images\CONTRA~1\OneNoteSectionGroupLargeTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI9599~1.0_X\Assets\WINDOW~1\WindowsCameraAppList.contrast-black_targetsize-96.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI8A07~1.SCA\Assets\SplashScreen.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.IdentityModel.dll	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Management.Instrumentation.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\WINDOW~3\MSFax\COMMON~1\uk-UA\confident.cov	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\DELETE~1\MICROS~3.SCA\Assets\PhotosLargeTile.contrast-white_scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MID6EE~1.SCA\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI0911~1.0_X\Assets\PhotosAppList.targetsize-40.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI0ADF~1.SCA\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI8A07~1.SCA\Assets\CONTRA~2\Logo.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\OrangeCircles.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIE03D~1.0_X\Assets\Sounds\Nudge.wma	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\9434_20x20x32.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\CONTRA~1\HxA-Exchange.scale-250.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIE984~1.0_X\Assets\SECOND~1\Work\MedTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MICROS~1.0_X\Assets\HeroHelp\Scenario2RTL.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\SHARPD~1\RENDER~1\Shaders\Builtin\HLSL\Textured.fx	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIC69C~1.0_X\SkypeApp\Designs\Flags\large\tv_60x42.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIC69C~1.0_X\SkypeApp\Designs\Flags\small\gg_16x11.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MID550~1.SCA\Assets\SECOND~1\DIRECT~1\Place\RTL\CONTRA~2\WideTile.scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\MpClient.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\Microsoft.Xbox.Services.winmd	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIC69C~1.0_X\SkypeApp\Assets\SkypeAppList.targetsize-48_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\Assets\Themes\Fable\fable_cardback.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\SHARPD~1\RENDER~1\Shaders\Builtin\Bin\FullScreenQuad_PS.fxo	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MID550~1.SCA\Assets\SECOND~1\DIRECT~1\Place\RTL\CONTRA~2\LargeTile.scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\STATIO~1\OrangeCircles.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\bg-BG\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MICROS~4.0_X\Assets\AppTiles\WEATHE~2\423x173\15.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI21E8~1.0_X\Assets\Images\Stickers\THUMBN~1\Sticker_Icon_Pipe_Bend.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI9599~1.0_X\Assets\WINDOW~1\WindowsCameraAppList.contrast-white_targetsize-24.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\CONTRA~2\HxMailAppList.targetsize-20.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI97D5~1.SCA\Assets\SECOND~1\Car\LTR\CONTRA~1\WideTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MID586~1.SCA\Assets\CONTRA~2\LargeLogo.scale-150_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\APPREP~1\MI70B5~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MICROS~1.0_N\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\Assets\Buttons\FULLSC~1\Windowed.png	cmd.exe
File opened for modification	C:\PROGRA~2\MSBuild\MICROS~1\WINDOW~1\v3.5\Workflow.VisualBasic.Targets	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Net.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIC69C~1.0_X\SkypeApp\Designs\Flags\small\lb_16x11.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI7B67~1.0_X\xboxservices.config	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI41D1~1.0_X\Assets\AlarmsAppList.targetsize-16_altform-unplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\models\de-DE.PhoneNumber.model	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI7C12~1.0_X\Assets\music_offline_demo_page2.jpg	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Workflow.Runtime.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIAA8F~1.SCA\Assets\GetStartedWideTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\SHARPD~1\RENDER~1\Shaders\Builtin\Bin\LightedTextured_PixelLighting_PS.fxo	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIEA86~1.0_X\Assets\Themes\Classic\classic_12s.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI21E8~1.0_X\Assets\Logos\WIDE31~1\PaintWideTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\CONTRA~2\OutlookMailBadge.scale-150.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIB685~1.0_X\images\OutlookMailSmallTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MI97D5~1.SCA\Assets\AppTiles\CONTRA~1\MapsMedTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI7DB9~1\MIC69C~1.0_X\SkypeApp\Assets\SkypeWideTile.scale-200_contrast-white.png	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM287D~1.MAN	cmd.exe
File opened for modification	C:\Windows\INFUSE~1\Packages\MIB685~1.0_X\en-us\officons.ttf	cmd.exe
File opened for modification	C:\Windows\SYSTEM~1\MICROS~1.MIC\Assets\READIN~1\css\StyleFontSizeExtraLarge.css	cmd.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\C1ED2A~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\57071b988318bc5bd4519d7b88db5a863a2e2aa6bd721d95cf88ee3eab458a29.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM6633~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM9524~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MS618E~1.0_F\UIAUTO~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO0972~1.0_N\APPXAP~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM994F~1.0_E\TTLSCF~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEC1E~1.0_E\SETUPC~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM992A~1.0_F\NVDIMM~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\X861ED~1.0_I\UTILMA~1.MUI	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MI1704~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM10A0~1.0_N\srmtrace.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM250A~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AMA24D~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM97C4~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMABED~1.0_N\mpr-dl.man	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AME61A~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X819D2~1.0_N\ASPNET~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME9B6~1.0_N\85f1257.fon	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM85FC~3.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X8773A~1.0_N\mpg2splt.ax	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\V40~1.303\it\Microsoft.Activities.Build.resources.dll	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\aspnet_perf2.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM00F8~1.0_D\C_MEDI~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM3197~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\WO7E92~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\X8109C~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO2644~1.0_N\MICROS~1.DLL	cmd.exe
File opened for modification	C:\Windows\IMMERS~1\Settings\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~2\V40~1.303\es\Microsoft.CSharp.resources.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM63B7~1.0_F\SQLSRV~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD007~1.0_N\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM8085~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\X8AD43~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM14ED~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X8FC5C~1.0_D\WINDOW~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBBF1~1.0_N\MICROS~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM668E~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\MSIL_N~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\MSDD25~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3C9F~1.0_N\DEVICE~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM230A~1.0_I\SYSTEM~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\7a4b90f1be2c7877270676c2342b364ba6903bb965f21f0531294f677f44bf19.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\MS92AD~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO4F0C~1.0_I\MSFT_FileDirectoryConfiguration.Schema.mfl	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIAFCB~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM50B7~2.0_N\SYSTEM~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM4751~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X86_MS~3.0_N\normnfd.nlp	cmd.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$7D18~1.CDF	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM5A81~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\WOD0DF~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMCDAC~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\b02237879d386b9776f92b084522644afdbc32cdb0759d1002fbd184dc099d4f.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$D756~1.CDF	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AM2D3A~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~2\AME5EF~1.MAN	cmd.exe
File opened for modification	C:\Windows\DIAGNO~1\system\WINDOW~1\DiagPackage.diagpkg	cmd.exe
File opened for modification	C:\Windows\INFUSE~1\FRAMEW~1\MIF199~1.0_X\AppxManifest.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAE76~1.0_D\SYSTEM~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\5cca82c057c906de2e8786e7692523c20bc7a8c21633974eb0be533838df29c9.cat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642713922695436"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusSystem"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-AU\\M3081Matilda"	SearchUI.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "Female"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "11.1"	SearchUI.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "%SystemDrive%\\Data\\SharedData\\Speech_OneCore\\Engines\\TTS\\en-US"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\5"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValue"	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "Microsoft Speech SW Voice Activation - English (United States)"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\AppID = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\tg\DefaultIcon	Telegram.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "6e-1"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Sayaka"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "Microsoft Sarah Mobile - English (United Kingdom)"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4EB300E9-4F8A-5D14-B795-36796C40660C}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ = "IPolicyStatusValueSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\ = "GoogleUpdater TypeLib for IGoogleUpdate3Web"	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchUI.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4e = "Microsoft Zira Mobile"	SearchUI.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ = "IAppVersionWebSystem"	updater.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2896	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
912	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1908	Telegram.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
5084	updater.exe
5084	updater.exe
5084	updater.exe
5084	updater.exe
5084	updater.exe
5084	updater.exe
592	updater.exe
592	updater.exe
592	updater.exe
592	updater.exe
592	updater.exe
592	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
5084	updater.exe
5084	updater.exe
4288	chrome.exe
4288	chrome.exe
4404	chrome.exe
4404	chrome.exe
4308	updater.exe
4308	updater.exe
4308	updater.exe
4308	updater.exe
5812	updater.exe
5812	updater.exe
5812	updater.exe
5812	updater.exe
5812	updater.exe
5812	updater.exe
2220	updater.exe
2220	updater.exe
2220	updater.exe
2220	updater.exe
6124	updater.exe
6124	updater.exe
6124	updater.exe
6124	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe
1744	updater.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
824	sv.exe
4832	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	sv.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	powershell.exe
Token: SeSecurityPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	4632	powershell.exe
Token: SeLoadDriverPrivilege	4632	powershell.exe
Token: SeSystemProfilePrivilege	4632	powershell.exe
Token: SeSystemtimePrivilege	4632	powershell.exe
Token: SeProfSingleProcessPrivilege	4632	powershell.exe
Token: SeIncBasePriorityPrivilege	4632	powershell.exe
Token: SeCreatePagefilePrivilege	4632	powershell.exe
Token: SeBackupPrivilege	4632	powershell.exe
Token: SeRestorePrivilege	4632	powershell.exe
Token: SeShutdownPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeSystemEnvironmentPrivilege	4632	powershell.exe
Token: SeRemoteShutdownPrivilege	4632	powershell.exe
Token: SeUndockPrivilege	4632	powershell.exe
Token: SeManageVolumePrivilege	4632	powershell.exe
Token: 33	4632	powershell.exe
Token: 34	4632	powershell.exe
Token: 35	4632	powershell.exe
Token: 36	4632	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4472	powershell.exe
Token: SeSecurityPrivilege	4472	powershell.exe
Token: SeTakeOwnershipPrivilege	4472	powershell.exe
Token: SeLoadDriverPrivilege	4472	powershell.exe
Token: SeSystemProfilePrivilege	4472	powershell.exe
Token: SeSystemtimePrivilege	4472	powershell.exe
Token: SeProfSingleProcessPrivilege	4472	powershell.exe
Token: SeIncBasePriorityPrivilege	4472	powershell.exe
Token: SeCreatePagefilePrivilege	4472	powershell.exe
Token: SeBackupPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4472	powershell.exe
Token: SeShutdownPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeSystemEnvironmentPrivilege	4472	powershell.exe
Token: SeRemoteShutdownPrivilege	4472	powershell.exe
Token: SeUndockPrivilege	4472	powershell.exe
Token: SeManageVolumePrivilege	4472	powershell.exe
Token: 33	4472	powershell.exe
Token: 34	4472	powershell.exe
Token: 35	4472	powershell.exe
Token: 36	4472	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeIncreaseQuotaPrivilege	4972	powershell.exe
Token: SeSecurityPrivilege	4972	powershell.exe
Token: SeTakeOwnershipPrivilege	4972	powershell.exe
Token: SeLoadDriverPrivilege	4972	powershell.exe
Token: SeSystemProfilePrivilege	4972	powershell.exe
Token: SeSystemtimePrivilege	4972	powershell.exe
Token: SeProfSingleProcessPrivilege	4972	powershell.exe
Token: SeIncBasePriorityPrivilege	4972	powershell.exe
Token: SeCreatePagefilePrivilege	4972	powershell.exe
Token: SeBackupPrivilege	4972	powershell.exe
Token: SeRestorePrivilege	4972	powershell.exe
Token: SeShutdownPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeSystemEnvironmentPrivilege	4972	powershell.exe
Token: SeRemoteShutdownPrivilege	4972	powershell.exe
Token: SeUndockPrivilege	4972	powershell.exe
Token: SeManageVolumePrivilege	4972	powershell.exe
Token: 33	4972	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
1908	Telegram.exe
1908	Telegram.exe
1908	Telegram.exe
1908	Telegram.exe
1908	Telegram.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
392	SearchUI.exe
4832	OpenWith.exe
1908	Telegram.exe
1908	Telegram.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 4632	824	sv.exe	73
PID 824 wrote to memory of 4632	824	sv.exe	73
PID 824 wrote to memory of 4472	824	sv.exe	76
PID 824 wrote to memory of 4472	824	sv.exe	76
PID 824 wrote to memory of 4972	824	sv.exe	78
PID 824 wrote to memory of 4972	824	sv.exe	78
PID 824 wrote to memory of 4308	824	sv.exe	80
PID 824 wrote to memory of 4308	824	sv.exe	80
PID 824 wrote to memory of 912	824	sv.exe	82
PID 824 wrote to memory of 912	824	sv.exe	82
PID 824 wrote to memory of 4156	824	sv.exe	117
PID 824 wrote to memory of 4156	824	sv.exe	117
PID 824 wrote to memory of 4156	824	sv.exe	117
PID 4156 wrote to memory of 5084	4156	rojmhh.exe	118
PID 4156 wrote to memory of 5084	4156	rojmhh.exe	118
PID 4156 wrote to memory of 5084	4156	rojmhh.exe	118
PID 5084 wrote to memory of 1784	5084	updater.exe	119
PID 5084 wrote to memory of 1784	5084	updater.exe	119
PID 5084 wrote to memory of 1784	5084	updater.exe	119
PID 592 wrote to memory of 4068	592	updater.exe	121
PID 592 wrote to memory of 4068	592	updater.exe	121
PID 592 wrote to memory of 4068	592	updater.exe	121
PID 2340 wrote to memory of 1832	2340	updater.exe	123
PID 2340 wrote to memory of 1832	2340	updater.exe	123
PID 2340 wrote to memory of 1832	2340	updater.exe	123
PID 2340 wrote to memory of 2148	2340	updater.exe	125
PID 2340 wrote to memory of 2148	2340	updater.exe	125
PID 2148 wrote to memory of 316	2148	126.0.6478.127_chrome_installer.exe	126
PID 2148 wrote to memory of 316	2148	126.0.6478.127_chrome_installer.exe	126
PID 316 wrote to memory of 2292	316	setup.exe	127
PID 316 wrote to memory of 2292	316	setup.exe	127
PID 316 wrote to memory of 3988	316	setup.exe	128
PID 316 wrote to memory of 3988	316	setup.exe	128
PID 3988 wrote to memory of 920	3988	setup.exe	129
PID 3988 wrote to memory of 920	3988	setup.exe	129
PID 5084 wrote to memory of 4288	5084	updater.exe	130
PID 5084 wrote to memory of 4288	5084	updater.exe	130
PID 4288 wrote to memory of 2436	4288	chrome.exe	131
PID 4288 wrote to memory of 2436	4288	chrome.exe	131
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132
PID 4288 wrote to memory of 3628	4288	chrome.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:912
- C:\Users\Admin\AppData\Local\Temp\rojmhh.exe
  "C:\Users\Admin\AppData\Local\Temp\rojmhh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Program Files (x86)\Google4156_260075420\bin\updater.exe
    "C:\Program Files (x86)\Google4156_260075420\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1E5E5C4F-2824-A1A8-B948-33835CA392B5}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Program Files (x86)\Google4156_260075420\bin\updater.exe
      "C:\Program Files (x86)\Google4156_260075420\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x254,0x258,0x25c,0x250,0x260,0x1472604,0x1472610,0x147261c
      4⤵
      Executes dropped EXE
      PID:1784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdc29f1c70,0x7ffdc29f1c7c,0x7ffdc29f1c88
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1688,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1880,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2972,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3040 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2980,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3652,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3880,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4616,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4664 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4864,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4880,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4964,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4536 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5104,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5072,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5020,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4380
    - - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings
        5⤵
        Executes dropped EXE
        
        PID:968
      - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6e80646a8,0x7ff6e80646b4,0x7ff6e80646c0
        6⤵
        Executes dropped EXE
        
        PID:208
      - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe" --channel=stable --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        6⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6e80646a8,0x7ff6e80646b4,0x7ff6e80646c0
        7⤵
        Executes dropped EXE
        
        PID:2544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5232,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5380,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5428,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5356,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5432,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5280,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5532,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4768,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5076,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5192,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5064,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4800,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5916,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5508,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5972,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5260,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5536,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=3224,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5336,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=5772,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=4300,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5616,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4104,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4792,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3280 /prefetch:8
        5⤵
        
        PID:5352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5572,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=944 /prefetch:8
        5⤵
        
        PID:2584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=3268,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=3196,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3336
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=5932,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6284,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8
        5⤵
        
        PID:6064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6344,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8
        5⤵
        
        PID:6084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6192,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:8
        5⤵
        
        PID:5976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6160,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8
        5⤵
        
        PID:3480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6256,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3052 /prefetch:8
        5⤵
        
        PID:5372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6168,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:8
        5⤵
        
        PID:5344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5776,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:8
        5⤵
        
        PID:5624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6148,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
        5⤵
        
        PID:3064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6288,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3112 /prefetch:8
        5⤵
        
        PID:1648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6280,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:8
        5⤵
        
        PID:304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=6156,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=3112 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6324,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
        5⤵
        
        PID:2052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5060,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
        5⤵
        
        PID:3668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=6740,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:2
        5⤵
        Checks computer location settings
        
        PID:4236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=5648,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3600,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=4640,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=6520,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=5284,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=4740,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6216,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:2
        5⤵
        Checks computer location settings
        
        PID:5088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5612,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
        5⤵
        
        PID:5468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=4076,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5256
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=6824,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:2
        5⤵
        Checks computer location settings
        
        PID:1536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=6136,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=3168,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2280
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5660,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
        5⤵
        
        PID:3460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=7044,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5236,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
        5⤵
        
        PID:4132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=6620,i,5692819042014307938,18276949546990115635,262144 --variations-seed-version --mojo-platform-channel-handle=1400 /prefetch:2
        5⤵
        Checks computer location settings
        
        PID:216

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2452

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4960

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4888

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1788

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1356

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4680

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\crash.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\crash.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2052

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#125 S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
1⤵
PID:520

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x442604,0x442610,0x44261c
  2⤵
  - Executes dropped EXE
  PID:4068

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x442604,0x442610,0x44261c
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\126.0.6478.127_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\819504aa-c901-41bf-a515-a1e81b5ee434.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\819504aa-c901-41bf-a515-a1e81b5ee434.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff68e0546a8,0x7ff68e0546b4,0x7ff68e0546c0
      4⤵
      Executes dropped EXE
      PID:2292
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2340_1185920072\CR_1D35B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff68e0546a8,0x7ff68e0546b4,0x7ff68e0546c0
        5⤵
        Executes dropped EXE
        
        PID:920

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1348

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:1736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1976

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:4764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Users\Admin\AppData\Local\Temp\rojmhh.exe
"C:\Users\Admin\AppData\Local\Temp\rojmhh.exe"
1⤵
PID:1480
- C:\Program Files (x86)\Google1480_1324308787\bin\updater.exe
  "C:\Program Files (x86)\Google1480_1324308787\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1E5E5C4F-2824-A1A8-B948-33835CA392B5}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- - C:\Program Files (x86)\Google1480_1324308787\bin\updater.exe
    "C:\Program Files (x86)\Google1480_1324308787\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x14d2604,0x14d2610,0x14d261c
    3⤵
    PID:5664

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5812
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x442604,0x442610,0x44261c
  2⤵
  PID:6072

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --wake --system
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2220
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x442604,0x442610,0x44261c
  2⤵
  PID:2264

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:6124
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x442604,0x442610,0x44261c
  2⤵
  PID:5576

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1744
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x442604,0x442610,0x44261c
  2⤵
  PID:5672

C:\Users\Admin\Desktop\Telegram\Telegram.exe
"C:\Users\Admin\Desktop\Telegram\Telegram.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery