chaos | 709777343867951673bdc9d75a58c462bae590215e6e124b9c7abccfbbed0b30

pid	Process
2504	bcdedit.exe
3560	bcdedit.exe
1056	bcdedit.exe
2784	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
1972	wbadmin.exe
292	wbadmin.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	App.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.andt	Decrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	App.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1376880307-1734125928-2892936080-1000\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	App.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1376880307-1734125928-2892936080-1000\desktop.ini	Decrypter.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1376880307-1734125928-2892936080-1000\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	App.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sp9ch407p.jpg"	App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\75b6oaa8i.jpg"	Decrypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmjfdega.jpg"	App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9jk0seu2x.jpg"	Decrypter.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Executes dropped EXE 6 IoCs

pid	Process
4168	GLPG.exe
5116	App.exe
2004	Decrypter.exe
3028	GLPG.exe
1784	App.exe
2076	Decrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
4388	vssadmin.exe
4340	vssadmin.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652519155291938"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	App.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	App.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\App.exe\:Zone.Identifier:$DATA	GLPG.exe
File opened for modification	C:\Users\Admin\Downloads\glpg_decrypter-main.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\App.exe\:Zone.Identifier:$DATA	GLPG.exe
File opened for modification	C:\Users\Admin\Downloads\GLPG.exe:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

pid	Process
2984	NOTEPAD.EXE
3780	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5116	App.exe
1784	App.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1456	chrome.exe
1456	chrome.exe
3504	chrome.exe
3504	chrome.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
4168	GLPG.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
5116	App.exe
1560	chrome.exe
1560	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe
Token: SeShutdownPrivilege	1456	chrome.exe
Token: SeCreatePagefilePrivilege	1456	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe
3816	Taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2852	OpenWith.exe
2304	OpenWith.exe
8	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4548	1456	chrome.exe	86
PID 1456 wrote to memory of 4548	1456	chrome.exe	86
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3120	1456	chrome.exe	87
PID 1456 wrote to memory of 3924	1456	chrome.exe	88
PID 1456 wrote to memory of 3924	1456	chrome.exe	88
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89
PID 1456 wrote to memory of 2844	1456	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libvlc.dll,#1
1⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa100dcc40,0x7ffa100dcc4c,0x7ffa100dcc58
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1916 /prefetch:3
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4312,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4904,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3480,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3276,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3756 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3344,i,17406246661713793593,8992157002671373809,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1080

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa100dcc40,0x7ffa100dcc4c,0x7ffa100dcc58
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3580,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4336,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4348,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3412,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,2693950364107098261,6357244134568153220,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4840

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2916
- C:\Windows\system32\dashost.exe
  dashost.exe {d4baa023-95d5-4bfb-bdf24864efc1725a}
  2⤵
  PID:4184
- C:\Windows\system32\dashost.exe
  dashost.exe {57513716-7a59-4bbf-9ad9e71aa68e4af8}
  2⤵
  PID:2828
- C:\Windows\system32\dashost.exe
  dashost.exe {e960f2a0-517c-4057-893d73426083b48b}
  2⤵
  PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:5044

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3816

C:\Users\Admin\Desktop\GLPG.exe
"C:\Users\Admin\Desktop\GLPG.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4168
- C:\Users\Admin\AppData\Roaming\App.exe
  "C:\Users\Admin\AppData\Roaming\App.exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:1968
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1056
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2504
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1652
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1972
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3848

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa100dcc40,0x7ffa100dcc4c,0x7ffa100dcc58
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,15786177778159963361,16729163852155609132,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:232

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa100dcc40,0x7ffa100dcc4c,0x7ffa100dcc58
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4576,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3408,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3252,i,7163237283279099734,2349059923008975115,262144 --variations-seed-version=20240711-180158.427000 --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - NTFS ADS
  PID:288

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\GLPDecryptor-decrypter\" -spe -an -ai#7zMap25586:102:7zEvent19806
1⤵
PID:4596

C:\Users\Admin\Desktop\GLPDecryptor-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\GLPDecryptor-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Executes dropped EXE
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:828
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:8
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecae8079-9879-433d-ba7a-2bc81e1c74f2} 8 "\\.\pipe\gecko-crash-server-pipe.8" gpu
    3⤵
    PID:1188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 25785 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df884ce8-c187-4c8b-b2ce-f0d05068618b} 8 "\\.\pipe\gecko-crash-server-pipe.8" socket
    3⤵
    - Checks processor information in registry
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2536 -prefsLen 25926 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22f214d-6dfe-405c-9c0c-019e627e0b28} 8 "\\.\pipe\gecko-crash-server-pipe.8" tab
    3⤵
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3796 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c4a6b9-9cd5-4499-85ba-9e84ca4fdf77} 8 "\\.\pipe\gecko-crash-server-pipe.8" tab
    3⤵
    PID:4980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4772 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff72a5a7-7f22-48ec-b79e-66848189904f} 8 "\\.\pipe\gecko-crash-server-pipe.8" utility
    3⤵
    - Checks processor information in registry
    PID:1060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5268 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea9e9ff-4754-473c-86b9-6c651a84e4e6} 8 "\\.\pipe\gecko-crash-server-pipe.8" tab
    3⤵
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed6460f-6282-45b1-bcb4-57a02780eac2} 8 "\\.\pipe\gecko-crash-server-pipe.8" tab
    3⤵
    PID:308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {393de55e-cc82-44de-b005-0d3951a8297e} 8 "\\.\pipe\gecko-crash-server-pipe.8" tab
    3⤵
    PID:1144

C:\Users\Admin\Desktop\GLPG.exe
"C:\Users\Admin\Desktop\GLPG.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:3028
- C:\Users\Admin\AppData\Roaming\App.exe
  "C:\Users\Admin\AppData\Roaming\App.exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  PID:1784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:2060
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:448
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1056
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1376
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:292
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1372

C:\Users\Admin\Desktop\GLPDecryptor-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\GLPDecryptor-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Executes dropped EXE
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery