wannacry | hxxp://google[.]com

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Setup_BullzipPDFPrinter_14_5_0_2974.tmp

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9CDD.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9CF4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 40 IoCs

pid	Process
696	Setup_BullzipPDFPrinter_14_5_0_2974.exe
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
6108	_setup64.tmp
8076	gslite.exe
3944	gslite.tmp
4684	pdfpowertool_setup.exe
4248	pdfpowertool_setup.tmp
7200	xpdfsetup.exe
5760	xpdfsetup.tmp
5568	taskdl.exe
756	@[email protected]
7216	@[email protected]
3940	taskhsvc.exe
5024	taskdl.exe
5760	taskse.exe
1764	@[email protected]
1896	taskdl.exe
4108	taskse.exe
7036	@[email protected]
736	taskdl.exe
3432	taskse.exe
7976	@[email protected]
7424	taskse.exe
7824	@[email protected]
5792	taskdl.exe
5244	taskse.exe
1484	@[email protected]
3888	taskdl.exe
2896	taskse.exe
7268	@[email protected]
6068	taskdl.exe
2328	taskse.exe
5552	@[email protected]
7688	taskdl.exe
9104	taskse.exe
6728	@[email protected]
5608	taskdl.exe
5848	taskse.exe
432	@[email protected]
7400	taskdl.exe

Loads dropped DLL 55 IoCs

pid	Process
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2924	regsvr32.exe
756	regsvr32.exe
7140	regsvr32.exe
7820	regsvr32.exe
5776	regsvr32.exe
7664	regsvr32.exe
1564	regsvr32.exe
9132	regsvr32.exe
7492	regsvr32.exe
5624	regsvr32.exe
7024	regsvr32.exe
5424	regasm.exe
5424	regasm.exe
5424	regasm.exe
5424	regasm.exe
724	regasm.exe
724	regasm.exe
724	regasm.exe
724	regasm.exe
6440	regasm.exe
6440	regasm.exe
6440	regasm.exe
6440	regasm.exe
6208	regasm.exe
6208	regasm.exe
6208	regasm.exe
6208	regasm.exe
8124	regasm.exe
8124	regasm.exe
8124	regasm.exe
8124	regasm.exe
3592	regsvr32.exe
1744	regsvr32.exe
2188	regsvr32.exe
7940	regsvr32.exe
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
2680	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
8724	spoolsv.exe
3760	spoolsv.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6456	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzfbkoaczl750 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled\crmfcx = "C:\\windows\\system32\\kpkopw.exe"	Autoruns64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2609	raw.githubusercontent.com
2611	raw.githubusercontent.com
2607	raw.githubusercontent.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-D896Q.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-16IO1.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-HJ8M9.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-47RSM.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-VMN16.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-FUAME.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\spool\drivers\w32x86\0\is-S4CBG.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\is-2UDOT.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\spool\drivers\w32x86\3\is-L7VFM.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-RMCA4.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\PCC\prnms005.inf_amd64_add71423ba73e797.cab	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\PCC\prnms005.inf_amd64_add71423ba73e797.cab	spoolsv.exe
File created	C:\Windows\system32\spool\V4Dirs\D5E33AE3-E7FE-4C48-A75E-DCA4FDDCD7B1\8fc756dc.BPD	spoolsv.exe
File created	C:\Windows\SysWOW64\is-CE76L.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-JS0F6.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\SysWOW64\is-ADJCQ.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\spool\drivers\x64\3\is-I0I5R.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\system32\spool\V4Dirs\D5E33AE3-E7FE-4C48-A75E-DCA4FDDCD7B1\merged.ppd	spoolsv.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-FH2N9.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-B7Q01.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-CDGJ6.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\unins000.dat	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-JFQSB.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-1JK6D.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-JG1RO.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-QDRAA.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-N05VA.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\API\COM\is-15TI8.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Common Files\Bullzip\System\Framework\v4.0\is-DRI7B.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\Debug\is-EFUDK.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-VLNAK.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-LBM5N.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\xpdf\doc\is-NM55J.tmp	xpdfsetup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-5JFO5.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-7IK3L.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-NUG9Q.tmp	gslite.tmp
File created	C:\Program Files\Common Files\Bullzip\System\Framework\v4.0\is-3KB49.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\zendwin\is-CPMKS.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-Q1A0B.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-DT3OM.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-7TFPT.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Common Files\Bullzip\PDF Printer\Ports\BULLZIP\is-I5QOC.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\is-HED9B.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\Macros\Examples\is-65MQR.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-UETVF.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-LOIQM.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-NNKHN.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-AM127.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\ppt\is-EVU64.tmp	pdfpowertool_setup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\ppt\is-LPF7O.tmp	pdfpowertool_setup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\xpdf\doc\is-GF5SV.tmp	xpdfsetup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\zendwin\is-KBTOP.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-PL0CO.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-69P4I.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-E3108.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-CSTUH.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-6EF4D.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-C0M8H.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\is-5264A.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\is-OA66I.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-G4LQ7.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-164G9.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-VQ78L.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\xpdf\is-3C533.tmp	xpdfsetup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-U751J.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-KR029.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-CTOIS.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-73ITQ.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\xpdf\is-97KO1.tmp	xpdfsetup.tmp
File opened for modification	C:\Program Files\Common Files\Bullzip\System\Framework\v4.0\Bullzip.PdfWriter.Lib.tlb	regasm.exe
File opened for modification	C:\Program Files\Bullzip\PDF Printer\gs\gsdll64.dll	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-UNV7A.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-P9SCG.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-SFEQR.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-UNELD.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\gs\is-MNU8E.tmp	gslite.tmp
File created	C:\Program Files\Bullzip\PDF Printer\xpdf\doc\is-7DE0O.tmp	xpdfsetup.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-EI14A.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-ALMJ2.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File opened for modification	C:\Program Files\Bullzip\PDF Printer\website.url	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-32N8T.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Program Files\Bullzip\PDF Printer\language\is-011F6.tmp	Setup_BullzipPDFPrinter_14_5_0_2974.tmp

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\0SXLMWYP\Bullzip.PDFWriter.dll	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\assembly\tmp\C9XLSUE9\Bullzip.PdfWriter.Lib.dll	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\assembly\tmp\9BR7LUUE\Bullzip.PdfWriter.Upload.dll	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\assembly\tmp\JUONKWDF\Bullzip.PdfWriter.Mail.dll	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\assembly\tmp\EVSNA5CC\Bullzip.PdfWriter.XpsInternal.dll	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
File created	C:\Windows\assembly\GACLock.dat	Setup_BullzipPDFPrinter_14_5_0_2974.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gslite.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_BullzipPDFPrinter_14_5_0_2974.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gslite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_BullzipPDFPrinter_14_5_0_2974.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdfpowertool_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdfpowertool_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpdfsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpdfsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Bullzip PDF Printer = "winspool,Ne03:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Bullzip PDF Printer = "winspool,Ne03:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Bullzip PDF Printer = "winspool,Ne03:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Bullzip PDF Printer = "winspool,Ne03:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\ConvertUserDevModesCount	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734111199996145"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Bullzip PDF Printer = "winspool,Ne03:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Bullzip PDF Printer = "winspool,Ne03:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Bullzip PDF Printer = "winspool,Ne03:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Printers\ConvertUserDevModesCount\Bullzip PDF Printer = "1"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Bullzip PDF Printer = "winspool,Ne03:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49F79EB5-EFD5-3239-8E15-AED12A883D44}\4.0.0.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21F7097C-BBA6-47C7-8455-04ECADB9F600}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExLVwU.VirtualListViewItem\ = "TimoSoft VirtualListViewItem Class (Unicode)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bullzip.PdfInternal\CLSID	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExLVwU.ListViewSubItems.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1999276E-2420-4578-BFBD-F4BCF7E73A08}\TypeLib\ = "{9FC6639B-4237-4FB5-93B8-24049D39DF74}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9444F96-C32A-4745-9FF3-9059B92CDAB0}\Implemented Categories	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9BD0EC7-C226-42F0-9A7D-731F08800375}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.TabStrip.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ED31350-A47C-4020-94A3-7884BA10F656}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{336D591B-C170-4e59-96C7-6E4848F3F8BC}\AppID = "{C0F77BE5-652D-4a29-98B1-414012C29C64}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CBLCtlsU.ComboBoxItem	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LblCtlsU.OLEDataObject\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CBLCtlsU.VirtualComboBoxItem\CLSID\ = "{0EF624A2-77FE-46c9-9FBE-42A561D98F25}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5C92149-E522-4478-9629-0151A4197CEC}\TypeLib\ = "{E7BB2F30-C5DD-4370-B7E2-19A7EDF169EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAE8E28E-1A61-4AEA-AF16-31DCBA45B3DC}\InprocServer32\Assembly = "Bullzip.PdfWriter.Upload, Version=1.0.0.10, Culture=neutral, PublicKeyToken=439886f61986a3e4"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8410842-CACB-4B66-9E76-7E99C5F95348}\InprocServer32\Class = "Bullzip.PdfWriter.Mail"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B6EB400-C291-4113-B7AE-8AFB544DF728}\ = "_IOptionButtonEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{828181CC-295C-4503-AC53-FB40A7E9D925}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bullzip.PdfWriter.SetupHelper\CLSID	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AFA7915-463D-4B61-AEB7-41B1236C143E}\1.a\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12BE0B6B-EA2A-468D-92ED-A77CBDA5FAB9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E684AAB9-1FE4-4DD2-98F6-792EDED3E8AC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16E67EDA-20AB-44D4-93F7-42D8DDF117F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D717E8F-8798-4250-A7E3-D3D313199627}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23FAD8E3-09EC-489F-9B4B-96C5CF69494E}\TypeLib\ = "{2C7F2DD5-B87E-4E1F-B49F-61645D844978}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.SBarCtrl.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExLVwU.ListViewItemContainer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12BE0B6B-EA2A-468D-92ED-A77CBDA5FAB9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57C6B07B-494E-41B8-9DD8-D0B85779FBF4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46B7CCB0-C787-4A6F-9635-4612EE0949F1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0CBADE35-41B7-310A-9E3C-0CE478C67DA8}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B961270-8A16-4369-A530-467546D7CF1D}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8ABEF60-81C3-4CCC-B108-553A63CF9C3E}\ = "_IImageComboBoxItemContainerEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{413645D4-6458-403A-AFA0-9C6F8BD23E42}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExLVwU.VirtualListViewGroup\CLSID\ = "{0F649F6C-AC1B-4e7e-890B-3AF6C5AD2EC8}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObjectFiles"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE8D6CD-4993-43B7-8691-9173A1D8FF33}\ = "IOptionButton"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A736B723-16ED-42C9-BD33-4ECD307038E9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BB2F30-C5DD-4370-B7E2-19A7EDF169EE}\1.a\0\win32\ = "C:\\Windows\\SysWow64\\TabStripCtlU.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EditCtlsU.OLEDataObject.1\CLSID\ = "{2A87ADA9-8CDB-4bfc-A4A9-F781753BC26D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC04B1F-7888-40C3-9A98-4F22D31CCF8C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D717E8F-8798-4250-A7E3-D3D313199627}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
6872	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe
1216	msedge.exe
1216	msedge.exe
3168	chrome.exe
3168	chrome.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
8128	identity_helper.exe
8128	identity_helper.exe
3508	chrome.exe
3508	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
3944	gslite.tmp
3944	gslite.tmp
4248	pdfpowertool_setup.tmp
4248	pdfpowertool_setup.tmp
5760	xpdfsetup.tmp
5760	xpdfsetup.tmp
5916	msedge.exe
5916	msedge.exe
2000	msedge.exe
2000	msedge.exe
9044	identity_helper.exe
9044	identity_helper.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe
3940	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4608	OpenWith.exe
6836	Autoruns64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
1216	msedge.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
4608	OpenWith.exe
756	@[email protected]
756	@[email protected]
7216	@[email protected]
7216	@[email protected]
1764	@[email protected]
1764	@[email protected]
7036	@[email protected]
7976	@[email protected]
7824	@[email protected]
1484	@[email protected]
7268	@[email protected]
5552	@[email protected]
6836	Autoruns64.exe
6836	Autoruns64.exe
6728	@[email protected]
432	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 884	1216	msedge.exe	84
PID 1216 wrote to memory of 884	1216	msedge.exe	84
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 2188	1216	msedge.exe	85
PID 1216 wrote to memory of 4460	1216	msedge.exe	86
PID 1216 wrote to memory of 4460	1216	msedge.exe	86
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87
PID 1216 wrote to memory of 716	1216	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2248	attrib.exe
7240	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb566e46f8,0x7ffb566e4708,0x7ffb566e4718
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:6952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:8808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:9024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:6760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8301229576938125383,2369500135471082376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:6996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb45e8cc40,0x7ffb45e8cc4c,0x7ffb45e8cc58
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1204,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3716 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4864,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3456,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3176,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5256,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3200,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5380,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3244,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5708,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5364,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5948,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6304,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6476,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6528,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6324,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6340,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6652,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6928,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6924,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7220,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7388,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7392,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7436,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6380,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7996,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7980 /prefetch:1
  2⤵
  PID:6180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=8128,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8176,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8476,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8308 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8644,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8600 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8716,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8412 /prefetch:1
  2⤵
  PID:6464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=8468,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8628 /prefetch:1
  2⤵
  PID:6528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=9008,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8852 /prefetch:1
  2⤵
  PID:6648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8932,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8888 /prefetch:1
  2⤵
  PID:6720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=9140,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9272 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=9448,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9432 /prefetch:1
  2⤵
  PID:6824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=9592,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9624 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=9412,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9736 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9900,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9864 /prefetch:1
  2⤵
  PID:6996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9896,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9916 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9936,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10144 /prefetch:1
  2⤵
  PID:7012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9952,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10260 /prefetch:1
  2⤵
  PID:7020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9968,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10376 /prefetch:1
  2⤵
  PID:7028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9984,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10492 /prefetch:1
  2⤵
  PID:7036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=10000,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10612 /prefetch:1
  2⤵
  PID:7044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=10016,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10740 /prefetch:1
  2⤵
  PID:7052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10720,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10872 /prefetch:1
  2⤵
  PID:7060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=10860,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10972 /prefetch:1
  2⤵
  PID:7068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=11100,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11160 /prefetch:1
  2⤵
  PID:7080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=11140,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11284 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=11500,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11504 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=11636,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11648 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11784,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11792 /prefetch:1
  2⤵
  PID:7116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=11800,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=11832 /prefetch:1
  2⤵
  PID:7124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=11952,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12100 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=9464,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12408 /prefetch:1
  2⤵
  PID:7860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=11668,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12520 /prefetch:1
  2⤵
  PID:7172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=12672,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12640 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=12684,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12780 /prefetch:1
  2⤵
  PID:7756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=12816,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12808 /prefetch:1
  2⤵
  PID:7800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=13044,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13056 /prefetch:1
  2⤵
  PID:7764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=13080,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12512 /prefetch:1
  2⤵
  PID:7788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=13348,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12532 /prefetch:1
  2⤵
  PID:7956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=13560,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13592 /prefetch:1
  2⤵
  PID:8136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=13400,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13700 /prefetch:1
  2⤵
  PID:8288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=13792,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13496 /prefetch:1
  2⤵
  PID:8656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=13904,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14160 /prefetch:1
  2⤵
  PID:8640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=14032,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14128 /prefetch:1
  2⤵
  PID:8688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=14144,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14000 /prefetch:1
  2⤵
  PID:8764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=14212,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14204 /prefetch:1
  2⤵
  PID:8808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=14352,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14052 /prefetch:1
  2⤵
  PID:8928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=14532,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14508 /prefetch:1
  2⤵
  PID:8996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=14636,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14660 /prefetch:1
  2⤵
  PID:9044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=14348,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14776 /prefetch:1
  2⤵
  PID:9072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=14924,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14936 /prefetch:1
  2⤵
  PID:9172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=15064,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=15112 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=10492,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10608 /prefetch:1
  2⤵
  PID:8460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=15276,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=15220 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=12020,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12352 /prefetch:1
  2⤵
  PID:8432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=15132,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14948 /prefetch:1
  2⤵
  PID:8268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=12880,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14180 /prefetch:1
  2⤵
  PID:8272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=12396,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13356 /prefetch:1
  2⤵
  PID:8128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=14868,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=14860 /prefetch:1
  2⤵
  PID:6424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=6348,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  PID:6560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=8112,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=10692,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=12508,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=7396,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8048 /prefetch:1
  2⤵
  PID:7276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=13212,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=15248 /prefetch:1
  2⤵
  PID:8476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=12928,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13276 /prefetch:1
  2⤵
  PID:6368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=7432,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7380 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12504,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7676 /prefetch:8
  2⤵
  PID:6452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7672,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=13268 /prefetch:8
  2⤵
  PID:6348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=8464,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=7676,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7800,i,14881207928984726739,1349770243392842212,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=12312 /prefetch:8
  2⤵
  PID:6840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x478
1⤵
PID:8296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb45e8cc40,0x7ffb45e8cc4c,0x7ffb45e8cc58
  2⤵
  PID:6200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2084,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2140,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:9020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:9036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5088,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:6832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3540,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:8896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4412,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3248,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5496,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5188,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:9208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3124,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4448,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5740,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5912,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6064,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5892,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4780,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:8296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5224,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5340,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:6580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6316,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:7856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6444,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6640,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:6496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6492,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:8964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6312,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:8828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6816,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6204,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:6616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6216,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:440
- C:\Users\Admin\Downloads\Setup_BullzipPDFPrinter_14_5_0_2974.exe
  "C:\Users\Admin\Downloads\Setup_BullzipPDFPrinter_14_5_0_2974.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\is-CS6L4.tmp\Setup_BullzipPDFPrinter_14_5_0_2974.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CS6L4.tmp\Setup_BullzipPDFPrinter_14_5_0_2974.tmp" /SL5="$70298,25325411,803328,C:\Users\Admin\Downloads\Setup_BullzipPDFPrinter_14_5_0_2974.exe"
    3⤵
    - Boot or Logon Autostart Execution: Port Monitors
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\_isetup\_setup64.tmp
      helper 105 0x4BC
      4⤵
      Executes dropped EXE
      PID:6108
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:8412
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:2212
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:7132
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:5216
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:6856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:8572
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:9116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:8032
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:5484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:6256
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:5608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:6096
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:3952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:3276
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:3732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:7700
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:1548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:4144
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:2644
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:3868
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:1188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:6592
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:7952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:1176
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:6476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:2376
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:7116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:9172
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:5500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\msxml6.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:512
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\msxml6.dll"
      4⤵
      PID:408
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\msscript.ocx"
      4⤵
      PID:5296
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Windows\system32\msscript.ocx"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\comdlg32.OCX"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\mscomctl.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:756
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\BtnCtlsU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:7140
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\CBLCtlsU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:7820
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\EditCtlsU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5776
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ExLvwU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:7664
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\LblCtlsU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1564
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\TabStripCtlU.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:9132
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Common Files\Bullzip\PDF Printer\API\COM\bzpdfc.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:7492
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\bzFlRdr.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5624
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\bzDCT.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:7024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /codebase Bullzip.PDFWriter.dll /tlb
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5424
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /codebase Bullzip.PDFWriter.dll /tlb
      4⤵
      PID:7996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Lib.dll /tlb
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:724
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Lib.dll /tlb
      4⤵
      Drops file in Program Files directory
      Modifies registry class
      PID:384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Upload.dll /tlb
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6440
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Upload.dll /tlb
      4⤵
      Modifies registry class
      PID:8524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Mail.dll /tlb
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:6208
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.Mail.dll /tlb
      4⤵
      PID:6796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /codebase Bullzip.PdfWriter.XpsInternal.dll /tlb
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:8124
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s vbscript.dll
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Windows\SysWOW64\comdlg32.ocx"
      4⤵
      Loads dropped DLL
      PID:3592
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\SysWOW64\comdlg32.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1744
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Windows\SysWOW64\mscomctl.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2188
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\SysWOW64\mscomctl.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:7940
  - - C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\gslite.exe
      "C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\gslite.exe" /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\gs"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:8076
    - - C:\Users\Admin\AppData\Local\Temp\is-D3SCC.tmp\gslite.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D3SCC.tmp\gslite.tmp" /SL5="$90238,24669322,801792,C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\gslite.exe" /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\gs"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\pdfpowertool_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\pdfpowertool_setup.exe" /verysilent /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\ppt"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\is-MN8P6.tmp\pdfpowertool_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MN8P6.tmp\pdfpowertool_setup.tmp" /SL5="$B0276,1892086,119296,C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\pdfpowertool_setup.exe" /verysilent /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\ppt"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\xpdfsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\xpdfsetup.exe" /verysilent /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\xpdf"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7200
    - - C:\Users\Admin\AppData\Local\Temp\is-OGIVM.tmp\xpdfsetup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OGIVM.tmp\xpdfsetup.tmp" /SL5="$C0276,690880,119296,C:\Users\Admin\AppData\Local\Temp\is-IS7RD.tmp\xpdfsetup.exe" /verysilent /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\xpdf"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5760
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:3336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:7864
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:7796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:6720
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:9172
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:3200
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:4980
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:4816
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:1100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:2892
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:6236
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:5828
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:7240
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:7456
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:8968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:1584
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:4948
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:8184
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" STOP SPOOLER /Y
      4⤵
      PID:1660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 STOP SPOOLER /Y
        5⤵
        
        PID:6308
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:2476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:5176
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:6744
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:1524
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:5956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:2744
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:3492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:1220
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" start spooler
      4⤵
      PID:3224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start spooler
        5⤵
        
        PID:5448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bullzip.com/dispatch/?action=Installed&productid=PDF
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb566e46f8,0x7ffb566e4708,0x7ffb566e4718
        5⤵
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
        5⤵
        
        PID:1860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
        5⤵
        
        PID:6608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        
        PID:6284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        5⤵
        
        PID:1956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        5⤵
        
        PID:8564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
        5⤵
        
        PID:8380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6855903384397192391,12975233257158253299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:9044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6120,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:7312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6060,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:7248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=5760,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=5184,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=3232,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=4044,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=3284,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:8380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=5828,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=5572,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:8552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=4004,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:6852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=4356,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6924,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6944 /prefetch:2
  2⤵
  PID:7648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6520,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=6728,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:8284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=3220,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=1452 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6676,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=6232,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=5724,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=1104 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6964,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:8264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5236,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=6732,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:6916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=4700,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=6048,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:7764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=4380,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=1100 /prefetch:8
  2⤵
  PID:9076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=6084,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=4964,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6644,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=7108 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=2792,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=5108,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=6188,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:8564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=5824,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:7640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=6544,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=3024,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:9028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6472,i,5725353938416487046,2163891935014418386,262144 --variations-seed-version=20241013-180211.763000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4144

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:6756

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Loads dropped DLL
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:8724

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4608
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\gcide-0.53.tar.gz.sig
  2⤵
  PID:908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6148
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2248
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:6456
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 248451728939013.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3732
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6092
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:7240
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:8348
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:944
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5760
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:6872
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7424
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7824
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3888
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7268
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6068
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5552
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7688
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9104
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6728
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5608
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5848
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Temp1_Autoruns.zip\Autoruns64.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Autoruns.zip\Autoruns64.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery