chaos | 2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf

pid	Process
220	bcdedit.exe
2352	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4452	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	GLPG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	App.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.rq3t	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	App.exe

Executes dropped EXE 3 IoCs

pid	Process
2036	GLPG.exe
3964	App.exe
2032	Decrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	App.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	App.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
74	raw.githubusercontent.com
75	raw.githubusercontent.com
76	raw.githubusercontent.com
111	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v1qk8nnz4.jpg"	App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2cjr9b7wr.jpg"	Decrypter.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1070.004

Inhibit System Recovery

Direct Volume Access

T1006

pid	Process
4516	vssadmin.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653279182755145"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	App.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
2864	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3964	App.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	chrome.exe
2668	chrome.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
2036	GLPG.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
3964	App.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
2032	Decrypter.exe
2032	Decrypter.exe
2032	Decrypter.exe
2032	Decrypter.exe
2032	Decrypter.exe
2032	Decrypter.exe
2032	Decrypter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe
Token: SeShutdownPrivilege	2668	chrome.exe
Token: SeCreatePagefilePrivilege	2668	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4960	2668	chrome.exe	89
PID 2668 wrote to memory of 4960	2668	chrome.exe	89
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 1124	2668	chrome.exe	90
PID 2668 wrote to memory of 4736	2668	chrome.exe	91
PID 2668 wrote to memory of 4736	2668	chrome.exe	91
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92
PID 2668 wrote to memory of 3708	2668	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#1
1⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffabba4cc40,0x7ffabba4cc4c,0x7ffabba4cc58
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5144,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3204,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5168,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3192,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5180,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5208,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5216,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,7494079981396294423,17101021118681504704,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:2996
- C:\Users\Admin\Downloads\GLPG.exe
  "C:\Users\Admin\Downloads\GLPG.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- - C:\Users\Admin\AppData\Roaming\App.exe
    "C:\Users\Admin\AppData\Roaming\App.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      PID:216
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4516
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:508
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:220
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:3760
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:4452
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2864

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2756

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffabba4cc40,0x7ffabba4cc4c,0x7ffabba4cc58
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:2316
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff652374698,0x7ff6523746a4,0x7ff6523746b0
    3⤵
    - Drops file in Program Files directory
    PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4928,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5036,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,11801164081918581223,12979227748736979718,262144 --variations-seed-version=20240712-130137.211000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:4168

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\GLPDecryptor-decrypter\" -spe -an -ai#7zMap10806:106:7zEvent15019
1⤵
PID:1060

C:\Users\Admin\Downloads\GLPDecryptor-decrypter\Decrypter.exe
"C:\Users\Admin\Downloads\GLPDecryptor-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:2032

Network

DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

74.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.169.217.172.in-addr.arpa

IN PTR

Response

74.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f101e100net
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f991e100net

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f3�H

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f3�H
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
DNS

4.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.180.250.142.in-addr.arpa

IN PTR

Response

4.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f41e100net
DNS

138.201.86.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.201.86.20.in-addr.arpa

IN PTR

Response
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.200.14
DNS

14.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.200.250.142.in-addr.arpa

IN PTR

Response

14.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f141e100net
DNS

chrome.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

chrome.google.com

IN A

Response

chrome.google.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

172.217.169.78
DNS

78.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.169.217.172.in-addr.arpa

IN PTR

Response

78.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f141e100net
DNS

github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

github.githubassets.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.githubassets.com

IN A

Response

github.githubassets.com

IN A

185.199.111.154

github.githubassets.com

IN A

185.199.110.154

github.githubassets.com

IN A

185.199.108.154

github.githubassets.com

IN A

185.199.109.154
DNS

avatars.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

avatars.githubusercontent.com

IN A

Response

avatars.githubusercontent.com

IN A

185.199.111.133

avatars.githubusercontent.com

IN A

185.199.108.133

avatars.githubusercontent.com

IN A

185.199.109.133

avatars.githubusercontent.com

IN A

185.199.110.133
DNS

user-images.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

user-images.githubusercontent.com

IN A

Response

user-images.githubusercontent.com

IN A

185.199.109.133

user-images.githubusercontent.com

IN A

185.199.108.133

user-images.githubusercontent.com

IN A

185.199.111.133

user-images.githubusercontent.com

IN A

185.199.110.133
DNS

github-cloud.s3.amazonaws.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github-cloud.s3.amazonaws.com

IN A

Response

github-cloud.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

52.216.42.113

s3-w.us-east-1.amazonaws.com

IN A

52.217.166.241

s3-w.us-east-1.amazonaws.com

IN A

3.5.25.173

s3-w.us-east-1.amazonaws.com

IN A

52.217.91.188

s3-w.us-east-1.amazonaws.com

IN A

16.182.35.185

s3-w.us-east-1.amazonaws.com

IN A

3.5.2.152

s3-w.us-east-1.amazonaws.com

IN A

3.5.28.142

s3-w.us-east-1.amazonaws.com

IN A

3.5.30.211
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

154.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.111.199.185.in-addr.arpa

IN PTR

Response

154.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-154githubcom
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

content-autofill.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

content-autofill.googleapis.com

IN A

Response

content-autofill.googleapis.com

IN A

216.58.213.10

content-autofill.googleapis.com

IN A

216.58.204.74

content-autofill.googleapis.com

IN A

142.250.180.10

content-autofill.googleapis.com

IN A

216.58.212.234

content-autofill.googleapis.com

IN A

142.250.178.10

content-autofill.googleapis.com

IN A

142.250.200.42

content-autofill.googleapis.com

IN A

142.250.187.234

content-autofill.googleapis.com

IN A

142.250.187.202

content-autofill.googleapis.com

IN A

142.250.200.10

content-autofill.googleapis.com

IN A

142.250.179.234

content-autofill.googleapis.com

IN A

172.217.16.234

content-autofill.googleapis.com

IN A

216.58.201.106
DNS

collector.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

collector.github.com

IN A

Response

collector.github.com

IN CNAME

glb-db52c2cf8be544.github.com

glb-db52c2cf8be544.github.com

IN A

140.82.112.22
DNS

api.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

api.github.com

IN A

Response

api.github.com

IN A

20.26.156.210
DNS

210.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.156.26.20.in-addr.arpa

IN PTR

Response
DNS

10.213.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.213.58.216.in-addr.arpa

IN PTR

Response

10.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f101e100net

10.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f10�H
DNS

22.112.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.112.82.140.in-addr.arpa

IN PTR

Response

22.112.82.140.in-addr.arpa

IN PTR

lb-140-82-112-22-iadgithubcom
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

github-cloud.s3.amazonaws.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github-cloud.s3.amazonaws.com

IN A

Response

github-cloud.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

54.231.201.113

s3-w.us-east-1.amazonaws.com

IN A

52.217.172.209

s3-w.us-east-1.amazonaws.com

IN A

54.231.171.73

s3-w.us-east-1.amazonaws.com

IN A

3.5.29.70

s3-w.us-east-1.amazonaws.com

IN A

3.5.20.46

s3-w.us-east-1.amazonaws.com

IN A

52.217.165.17

s3-w.us-east-1.amazonaws.com

IN A

52.217.198.222

s3-w.us-east-1.amazonaws.com

IN A

3.5.30.200
DNS

collector.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

collector.github.com

IN A

Response

collector.github.com

IN CNAME

glb-db52c2cf8be544.github.com

glb-db52c2cf8be544.github.com

IN A

140.82.112.22
DNS

api.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

api.github.com

IN A

Response

api.github.com

IN A

20.26.156.210
DNS

131.72.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.72.42.20.in-addr.arpa

IN PTR

Response
DNS

alive.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

alive.github.com

IN A

Response

alive.github.com

IN CNAME

live.github.com

live.github.com

IN A

140.82.114.26
DNS

26.114.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.114.82.140.in-addr.arpa

IN PTR

Response

26.114.82.140.in-addr.arpa

IN PTR

lb-140-82-114-26-iadgithubcom
DNS

10.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.178.250.142.in-addr.arpa

IN PTR

Response

10.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f101e100net

142.250.180.4:443

www.google.com

tls

chrome.exe

1.0kB
4.6kB
8
9
172.217.169.78:443

chrome.google.com

tls

chrome.exe

1.1kB
8.0kB
9
9
20.26.156.215:443

github.com

tls

chrome.exe

7.2kB
164.0kB
91
152
20.26.156.215:443

github.com

tls

chrome.exe

1.1kB
4.0kB
10
8
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

39.3kB
1.1MB
578
931
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.7kB
9
10
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

989 B
4.7kB
9
10
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.7kB
9
10
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

1.1kB
4.7kB
9
10
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.7kB
9
10
185.199.111.133:443

avatars.githubusercontent.com

tls

chrome.exe

1.9kB
7.3kB
14
17
216.58.213.10:443

content-autofill.googleapis.com

tls

chrome.exe

2.1kB
7.1kB
17
20
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

2.3kB
22.9kB
21
30
140.82.112.22:443

collector.github.com

tls

chrome.exe

12.9kB
10.1kB
38
39
140.82.112.22:443

collector.github.com

tls

chrome.exe

1.1kB
4.6kB
10
8
20.26.156.210:443

api.github.com

tls

chrome.exe

6.9kB
6.8kB
23
23
185.199.110.133:443

raw.githubusercontent.com

tls

chrome.exe

4.0kB
135.0kB
59
108
185.199.110.133:443

raw.githubusercontent.com

tls

chrome.exe

1.1kB
4.8kB
9
10
142.250.180.4:443

www.google.com

tls

chrome.exe

2.3kB
9.8kB
23
27
142.250.200.14:443

clients2.google.com

tls

chrome.exe

1.1kB
8.1kB
10
10
20.26.156.215:443

github.com

tls

chrome.exe

43.2kB
671.7kB
346
573
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

19.1kB
462.4kB
285
416
185.199.111.133:443

avatars.githubusercontent.com

tls

chrome.exe

3.3kB
22.9kB
33
44
185.199.111.154:443

github.githubassets.com

tls

chrome.exe

16.0kB
560.2kB
293
440
140.82.112.22:443

collector.github.com

tls

chrome.exe

41.6kB
23.8kB
108
105
216.58.213.10:443

content-autofill.googleapis.com

tls

chrome.exe

1.1kB
6.0kB
10
9
20.26.156.210:443

api.github.com

tls

chrome.exe

73.6kB
20.2kB
108
100
140.82.114.26:443

alive.github.com

tls

chrome.exe

2.7kB
4.8kB
14
10
140.82.114.26:443

alive.github.com

tls

chrome.exe

2.8kB
4.8kB
14
10
140.82.114.26:443

alive.github.com

tls

chrome.exe

3.2kB
4.9kB
16
11
185.199.110.133:443

raw.githubusercontent.com

tls

chrome.exe

2.6kB
47.8kB
28
44

8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

74.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

74.169.217.172.in-addr.arpa
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

72 B
169 B
1
1

DNS Request

99.201.58.216.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
142.250.180.4:443

www.google.com

https

chrome.exe

4.1kB
21.1kB
29
32
8.8.8.8:53

4.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.180.250.142.in-addr.arpa
8.8.8.8:53

138.201.86.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.201.86.20.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.200.14
142.250.200.14:443

clients2.google.com

https

chrome.exe

2.4kB
8.1kB
9
12
224.0.0.251:5353

chrome.exe

408 B
6
8.8.8.8:53

14.200.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.200.250.142.in-addr.arpa
8.8.8.8:53

chrome.google.com

dns

chrome.exe

63 B
100 B
1
1

DNS Request

chrome.google.com

DNS Response

172.217.169.78
8.8.8.8:53

78.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

78.169.217.172.in-addr.arpa
8.8.8.8:53

github.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

github.githubassets.com

dns

chrome.exe

69 B
133 B
1
1

DNS Request

github.githubassets.com

DNS Response

185.199.111.154

185.199.110.154

185.199.108.154

185.199.109.154
8.8.8.8:53

avatars.githubusercontent.com

dns

chrome.exe

75 B
139 B
1
1

DNS Request

avatars.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.109.133

185.199.110.133
8.8.8.8:53

user-images.githubusercontent.com

dns

chrome.exe

79 B
143 B
1
1

DNS Request

user-images.githubusercontent.com

DNS Response

185.199.109.133

185.199.108.133

185.199.111.133

185.199.110.133
8.8.8.8:53

github-cloud.s3.amazonaws.com

dns

chrome.exe

75 B
253 B
1
1

DNS Request

github-cloud.s3.amazonaws.com

DNS Response

52.216.42.113

52.217.166.241

3.5.25.173

52.217.91.188

16.182.35.185

3.5.2.152

3.5.28.142

3.5.30.211
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

154.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

154.111.199.185.in-addr.arpa
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

content-autofill.googleapis.com

dns

chrome.exe

77 B
269 B
1
1

DNS Request

content-autofill.googleapis.com

DNS Response

216.58.213.10

216.58.204.74

142.250.180.10

216.58.212.234

142.250.178.10

142.250.200.42

142.250.187.234

142.250.187.202

142.250.200.10

142.250.179.234

172.217.16.234

216.58.201.106
8.8.8.8:53

collector.github.com

dns

chrome.exe

66 B
115 B
1
1

DNS Request

collector.github.com

DNS Response

140.82.112.22
8.8.8.8:53

api.github.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

api.github.com

DNS Response

20.26.156.210
216.58.213.10:443

content-autofill.googleapis.com

https

chrome.exe

3.6kB
7.2kB
9
11
8.8.8.8:53

210.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

210.156.26.20.in-addr.arpa
8.8.8.8:53

10.213.58.216.in-addr.arpa

dns

72 B
141 B
1
1

DNS Request

10.213.58.216.in-addr.arpa
8.8.8.8:53

22.112.82.140.in-addr.arpa

dns

72 B
117 B
1
1

DNS Request

22.112.82.140.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

chrome.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
142.250.180.4:443

www.google.com

https

chrome.exe

3.2kB
17.6kB
18
23
142.250.200.14:443

clients2.google.com

https

chrome.exe

2.4kB
8.2kB
9
12
8.8.8.8:53

github.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

github-cloud.s3.amazonaws.com

dns

chrome.exe

75 B
253 B
1
1

DNS Request

github-cloud.s3.amazonaws.com

DNS Response

54.231.201.113

52.217.172.209

54.231.171.73

3.5.29.70

3.5.20.46

52.217.165.17

52.217.198.222

3.5.30.200
8.8.8.8:53

collector.github.com

dns

chrome.exe

66 B
115 B
1
1

DNS Request

collector.github.com

DNS Response

140.82.112.22
216.58.213.10:443

content-autofill.googleapis.com

https

chrome.exe

6.7kB
11.1kB
40
42
8.8.8.8:53

api.github.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

api.github.com

DNS Response

20.26.156.210
8.8.8.8:53

131.72.42.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

131.72.42.20.in-addr.arpa
8.8.8.8:53

alive.github.com

dns

chrome.exe

62 B
97 B
1
1

DNS Request

alive.github.com

DNS Response

140.82.114.26
8.8.8.8:53

26.114.82.140.in-addr.arpa

dns

72 B
117 B
1
1

DNS Request

26.114.82.140.in-addr.arpa
8.8.8.8:53

10.178.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.178.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery