chaos | 2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf

pid	Process
2968	bcdedit.exe
1196	bcdedit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2476	wbadmin.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WareY666.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	chrome.exe

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hvlz	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.hvlz	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.hvlz	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	Decrypter.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
368	WareY666.exe
1388	svchost.exe
4232	ChromeSetup.exe
2892	updater.exe
228	updater.exe
980	updater.exe
2124	updater.exe
1052	updater.exe
1300	updater.exe
4528	126.0.6478.127_chrome_installer.exe
304	setup.exe
4352	setup.exe
1812	setup.exe
4688	setup.exe
4736	updater.exe
1348	updater.exe
512	setup.exe
2996	setup.exe
4868	setup.exe
3788	setup.exe
4152	chrome.exe
2264	chrome.exe
3400	chrome.exe
436	chrome.exe
3012	chrome.exe
5108	chrome.exe
308	chrome.exe
2932	elevation_service.exe
1584	chrome.exe
3336	chrome.exe
3076	chrome.exe
1544	chrome.exe
4440	chrome.exe
3344	chrome.exe
6188	chrome.exe
6824	chrome.exe
5668	chrome.exe
5856	chrome.exe
5268	chrome.exe
2828	updater.exe
4532	updater.exe
5460	updater.exe
5496	updater.exe
6152	updater.exe
6172	updater.exe
5020	chrome.exe
5952	chrome.exe
6272	chrome.exe
2276	chrome.exe
4888	chrome.exe
6720	chrome.exe
6672	chrome.exe
6816	elevation_service.exe
6880	chrome.exe
6688	chrome.exe
2820	chrome.exe
3380	chrome.exe
936	chrome.exe
2000	chrome.exe
2152	chrome.exe
4248	chrome.exe
396	chrome.exe
5320	chrome.exe
6428	chrome.exe

Loads dropped DLL 64 IoCs

pid	Process
4152	chrome.exe
2264	chrome.exe
4152	chrome.exe
3400	chrome.exe
436	chrome.exe
436	chrome.exe
3012	chrome.exe
3012	chrome.exe
3400	chrome.exe
3400	chrome.exe
5108	chrome.exe
3400	chrome.exe
3400	chrome.exe
308	chrome.exe
308	chrome.exe
3400	chrome.exe
3400	chrome.exe
3400	chrome.exe
5108	chrome.exe
1584	chrome.exe
1584	chrome.exe
3336	chrome.exe
3336	chrome.exe
3076	chrome.exe
3076	chrome.exe
1544	chrome.exe
1544	chrome.exe
4440	chrome.exe
4440	chrome.exe
3344	chrome.exe
3344	chrome.exe
6188	chrome.exe
6188	chrome.exe
6824	chrome.exe
6824	chrome.exe
5668	chrome.exe
5668	chrome.exe
5856	chrome.exe
5856	chrome.exe
5856	chrome.exe
5856	chrome.exe
5856	chrome.exe
5268	chrome.exe
5268	chrome.exe
5020	chrome.exe
5952	chrome.exe
5020	chrome.exe
6272	chrome.exe
6272	chrome.exe
2276	chrome.exe
4888	chrome.exe
2276	chrome.exe
4888	chrome.exe
6272	chrome.exe
6272	chrome.exe
6272	chrome.exe
6272	chrome.exe
6272	chrome.exe
6272	chrome.exe
6672	chrome.exe
6720	chrome.exe
6672	chrome.exe
6720	chrome.exe
6880	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
386	camo.githubusercontent.com
438	raw.githubusercontent.com
439	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
385	camo.githubusercontent.com

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xm85a1u16.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\86825b67n.jpg"	Decrypter.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\chrome.dll	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4152_304584535\_metadata\verified_contents.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\6cd61827-4c7e-4d78-9791-0a2560f83da4.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\VisualElements\Logo.png	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\_metadata\verified_contents.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\ca.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\a52d3718-56b1-4dd6-951d-e0e753501c7d.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\manifest.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\d253a648-10a5-47fd-9dbf-2cfb8c909cd1.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\a52d3718-56b1-4dd6-951d-e0e753501c7d.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe62461c.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4152_304584535\LICENSE	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\126.0.6478.127.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5d1773.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\c6bd9342-d65e-444e-ae12-951e0f2927f7.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source304_725961640\Chrome-bin\126.0.6478.127\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\SETUP.EX_	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
1928	vssadmin.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651792983408864"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\ = "{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncherSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\ = "{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win32\ = "C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\ = "{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\ = "{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\ = "GoogleUpdater TypeLib for IAppVersionWeb"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\ = "{4DC034A8-4BFC-4D43-9250-914163356BB0}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe

Opens file in notepad (likely ransom note) 2 IoCs

pid	Process
3800	NOTEPAD.EXE
4108	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1388	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
368	WareY666.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
1388	svchost.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
184	taskmgr.exe
1088	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe
184	taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4720	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
968	OpenWith.exe
1772	OpenWith.exe
4564	OpenWith.exe
4268	firefox.exe
2452	OpenWith.exe
3052	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4516	3812	chrome.exe	92
PID 3812 wrote to memory of 4516	3812	chrome.exe	92
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4292	3812	chrome.exe	93
PID 3812 wrote to memory of 4168	3812	chrome.exe	94
PID 3812 wrote to memory of 4168	3812	chrome.exe	94
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95
PID 3812 wrote to memory of 2252	3812	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#1
1⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff845e0cc40,0x7ff845e0cc4c,0x7ff845e0cc58
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5136,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5248,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4948,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5468,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5284,i,14723483140135435943,12790726980072459535,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:4772
- C:\Users\Admin\Downloads\WareY666.exe
  "C:\Users\Admin\Downloads\WareY666.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:368
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      PID:4084
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:5048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:3052
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2968
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:1104
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2476
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:3800

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4664

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff845e0cc40,0x7ff845e0cc4c,0x7ff845e0cc58
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1640,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=1356 /prefetch:2
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4812,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4616,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5376,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5352,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5648,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5396,i,5890523990925054693,10921096200476035068,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3244
- C:\Users\Admin\Downloads\ChromeSetup.exe
  "C:\Users\Admin\Downloads\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:4232
- - C:\Program Files (x86)\Google4232_1151959533\bin\updater.exe
    "C:\Program Files (x86)\Google4232_1151959533\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DE677D75-1E3D-484C-8127-89DB86886EA3}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies registry class
    PID:2892
  - - C:\Program Files (x86)\Google4232_1151959533\bin\updater.exe
      "C:\Program Files (x86)\Google4232_1151959533\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xe82604,0xe82610,0xe8261c
      4⤵
      Executes dropped EXE
      PID:228

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1804

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
PID:980
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:1052
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1300
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\126.0.6478.127_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\4ba604a4-e699-4f14-8218-539aae4ff3d6.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4528
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\4ba604a4-e699-4f14-8218-539aae4ff3d6.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    PID:304
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6339446a8,0x7ff6339446b4,0x7ff6339446c0
      4⤵
      Executes dropped EXE
      PID:4352
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:1812
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1052_435661153\CR_F8038.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6339446a8,0x7ff6339446b4,0x7ff6339446c0
        5⤵
        Executes dropped EXE
        
        PID:4688

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\ExitSelect.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff845e0cc40,0x7ff845e0cc4c,0x7ff845e0cc58
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,510268622600008253,16945946007759679760,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,510268622600008253,16945946007759679760,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff834d71c70,0x7ff834d71c7c,0x7ff834d71c88
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2000 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1880,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2036 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2292,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4468 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4984,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3100,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4280 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3320,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5364,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3136,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5464,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3140 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3248,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4452 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5284,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5024 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3140,i,12128521910247621777,17289112302832478454,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=1072 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5268

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:4736
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1348
- C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
  2⤵
  - Executes dropped EXE
  PID:512
- - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7777f46a8,0x7ff7777f46b4,0x7ff7777f46c0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2996
- - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4868
  - - C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x274,0x278,0x27c,0x270,0x280,0x7ff7777f46a8,0x7ff7777f46b4,0x7ff7777f46c0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3788

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2236 -parentBuildID 20240401114208 -prefsHandle 2152 -prefMapHandle 2144 -prefsLen 21257 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a2ded06-6b70-4431-95c8-4c7fa437cc07} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" gpu
    3⤵
    PID:3244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 21257 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe56946-c59a-4a63-ac2c-f632029e163d} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" socket
    3⤵
    - Checks processor information in registry
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2840 -prefsLen 21326 -prefMapSize 243020 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7741f0cb-53df-458b-a07a-07acb4684fb7} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 2 -isForBrowser -prefsHandle 3020 -prefMapHandle 3504 -prefsLen 22178 -prefMapSize 243020 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {558e3c2e-3fe9-4bf1-83ad-24c8cc1eb92e} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -parentBuildID 20240401114208 -prefsHandle 4532 -prefMapHandle 4492 -prefsLen 28819 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3396bfcc-282e-4d1e-ad3d-a3a97d3222e8} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" rdd
    3⤵
    PID:5952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5276 -prefMapHandle 5256 -prefsLen 30354 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c573567-7778-4fd9-8e23-31b6da7273b5} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" utility
    3⤵
    - Checks processor information in registry
    PID:6312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5232 -prefMapHandle 5176 -prefsLen 28507 -prefMapSize 243020 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f00c4e-61d2-48b1-84d8-3069fb8d1817} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:6372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 3900 -prefsLen 28555 -prefMapSize 243020 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9fb9150-38f3-473a-aaa7-73b720382353} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:6888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 5 -isForBrowser -prefsHandle 3296 -prefMapHandle 3376 -prefsLen 28585 -prefMapSize 243020 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff5be2bd-a5b3-4aef-9791-f77f0a9c6514} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:6920

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --wake --system
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2828
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4532

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5460
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5496

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:6152
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x254,0x280,0x278,0x284,0x792604,0x792610,0x79261c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:6172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff834d71c70,0x7ff834d71c7c,0x7ff834d71c88
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2320,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3880,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4844,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4460,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5112,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5484,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5632,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5708,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=3344,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5964,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=3332,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=3220,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5284,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:6488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=3232,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6232,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6220,i,2178238164120996937,4246215047648519268,262144 --variations-seed-version=20240710-180217.653000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:7020
- C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe
  "C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"
  2⤵
  PID:6804

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2252

C:\Users\Admin\Downloads\a-decrypter\Decrypter.exe
"C:\Users\Admin\Downloads\a-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
PID:5908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery