hxxps://greggman[.]com/downloads/examples/html5bytebeat/html5bytebeat[.]html#t=0&e=0&s=8000&bb=5d00000100d8000000000000000017e07c448a369a0fb84fd64c3680f0b757a25bd766d62696e767c8dd550588c4247b59701e0e8da7fac3eb2ef42618bcfee305a8794a84de090a58b4c2afae4dea361455b6e322a8c5ae9d4560337fcc00c84b7d301a79c3553e3be93807fbfd1e28d151964b29e2b16affe9b8ee12a6db921233daac18f14850deee365ac8ad2e5de190238336358a2653ceff4b62a8467a0c3aff7f3758cb11042da65e8941ffff4b429d00

Processes:

systempropertiesadvanced.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	systempropertiesadvanced.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

Processes:

systempropertiesadvanced.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	systempropertiesadvanced.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

Processes:

setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.119\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid process

6348 takeown.exe
6924 icacls.exe
2188 takeown.exe
7664 takeown.exe
9156 icacls.exe
9024 takeown.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

pid	process
6348	takeown.exe
6924	icacls.exe
2188	takeown.exe
7664	takeown.exe
9156	icacls.exe
9024	takeown.exe

Executes dropped EXE 64 IoCs

Processes:

ChromeSetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe130.0.6723.119_chrome_installer.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeupdater.exeupdater.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
892	ChromeSetup.exe
4744	updater.exe
4900	updater.exe
4728	updater.exe
5048	updater.exe
5012	updater.exe
4752	updater.exe
3528	130.0.6723.119_chrome_installer.exe
5272	setup.exe
920	setup.exe
4748	setup.exe
5328	setup.exe
2176	setup.exe
6052	setup.exe
5440	setup.exe
2344	setup.exe
1912	chrome.exe
5512	chrome.exe
2960	chrome.exe
3240	chrome.exe
2444	elevation_service.exe
3448	chrome.exe
5344	chrome.exe
4984	chrome.exe
2020	chrome.exe
1400	chrome.exe
3996	chrome.exe
3248	chrome.exe
4476	chrome.exe
4456	updater.exe
3272	updater.exe
5404	chrome.exe
1864	chrome.exe
5148	chrome.exe
1664	chrome.exe
2808	chrome.exe
5504	chrome.exe
1552	chrome.exe
3004	chrome.exe
2620	chrome.exe
6044	chrome.exe
5312	chrome.exe
2380	chrome.exe
5604	chrome.exe
5220	chrome.exe
2132	chrome.exe
5916	chrome.exe
3628	chrome.exe
4984	chrome.exe
5944	chrome.exe
3296	chrome.exe
4848	chrome.exe
3428	chrome.exe
3016	chrome.exe
1396	chrome.exe
5668	chrome.exe
792	chrome.exe
3488	chrome.exe
4908	chrome.exe
3752	chrome.exe
1264	chrome.exe
5144	chrome.exe
4696	chrome.exe
2100	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1912	chrome.exe
5512	chrome.exe
1912	chrome.exe
2960	chrome.exe
2960	chrome.exe
3240	chrome.exe
3240	chrome.exe
3448	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
3448	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
5344	chrome.exe
5344	chrome.exe
4984	chrome.exe
4984	chrome.exe
2020	chrome.exe
2020	chrome.exe
1400	chrome.exe
3996	chrome.exe
1400	chrome.exe
3996	chrome.exe
3248	chrome.exe
3248	chrome.exe
4476	chrome.exe
4476	chrome.exe
5404	chrome.exe
5404	chrome.exe
1864	chrome.exe
1864	chrome.exe
5148	chrome.exe
5148	chrome.exe
1664	chrome.exe
1664	chrome.exe
2808	chrome.exe
2808	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
1552	chrome.exe
1552	chrome.exe
3004	chrome.exe
3004	chrome.exe
2620	chrome.exe
2620	chrome.exe
6044	chrome.exe
6044	chrome.exe
5312	chrome.exe
5312	chrome.exe
2380	chrome.exe
2380	chrome.exe
5604	chrome.exe
5604	chrome.exe
5220	chrome.exe
5220	chrome.exe
2132	chrome.exe
2132	chrome.exe
5916	chrome.exe
5916	chrome.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid process

2188 takeown.exe
7664 takeown.exe
9156 icacls.exe
9024 takeown.exe
6348 takeown.exe
6924 icacls.exe

pid	process
2188	takeown.exe
7664	takeown.exe
9156	icacls.exe
9024	takeown.exe
6348	takeown.exe
6924	icacls.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Start10Shell\ = "{6A451C0A-9597-4915-BCCE-6E859BC996B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Start10Shell	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

StartScreen.exeStartScreen.exeStartScreen.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini	StartScreen.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini	StartScreen.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\startscreen\desktop.ini	StartScreen.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 10 IoCs

Processes:

setup.exeUltraUXThemePatcher_4.4.3.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File created	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\themeui.dll.new	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\uxinit.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\uxinit.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\themeui.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\themeui.dll.old	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\uxinit.dll.backup	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\uxinit.dll.old	UltraUXThemePatcher_4.4.3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/8116-3999-0x0000000000070000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/8116-4081-0x0000000000070000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/8116-8706-0x0000000000070000-0x0000000000458000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

updater.exeupdater.exeupdater.exeirsetup.exesetup.exeupdater.exeStartIsBackCfg.exeupdater.exeUltraUXThemePatcher_4.4.3.exeupdater.exeupdater.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\705a6dd7-a070-4f5b-b11c-056f14c03606.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\DeElevator.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\defs2.ini	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\StartButtons\Sonar Large.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Uninstall\IRIMG2.JPG	irsetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Stardock\Start11\Uninstall\Encoding.lmd	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\it.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-04.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Grunge Stone 02_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Rusty Metal Grid_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Notifications\Assets\Groupy 2-icon.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\StartIsBack32.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack64.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\4.lnk	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Small Angle Stripes_x2.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-01.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-17.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\ko.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Taskbar Grid 01.png	irsetup.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start11Config.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\31.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\Links\4.lnk	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\mrmsupport.dll	irsetup.exe
File created	C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe	UltraUXThemePatcher_4.4.3.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\chrome.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Triangle One.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Carbon Fibre_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-14.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Notifications\Assets\stardock.png	irsetup.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles	StartIsBackCfg.exe
File created	C:\Program Files (x86)\Stardock\Start11\Start10tweak.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\lang\fi.lng	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-22.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\TabMedium.png	irsetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\c22a5aa9-db79-4e15-92f6-71609d1a5170.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Triangle Two.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Fabric_x2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-02.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\DeElevate64.exe	irsetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\ThemeHelp.txt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\lang\fi.lng	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\StartButtons\Reflow.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\GroupPolicy\en-us\start8_gp.adml	irsetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-20.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Notifications\Stardock.Notifications.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\Start11\TabTextures\s11-tab-texture-08.png	irsetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\7cd5e238-9213-49fc-8f34-def463b8a2e4.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Sand_x2.png	irsetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5272_1594740265\Chrome-bin\130.0.6723.119\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\12a138af-47cd-45de-8f92-89a55d2c5c31.tmp	updater.exe
File created	C:\Program Files (x86)\Stardock\Start11\Links\5.lnk	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\Start11\TaskbarTextures\Rock_x2.png	irsetup.exe

Drops file in Windows directory 52 IoCs

Processes:

setup.exesetup.exeupdater.exesetup.exesetup.exesetup.exechrome.exechrome.exe130.0.6723.119_chrome_installer.exesetup.exeChromeSetup.exeupdater.exesetup.exesetup.exesetup.exechrome.exesetup.exesetup.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\130.0.6723.119_chrome_installer.exe	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_109834019\_metadata\verified_contents.json	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe	130.0.6723.119_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_109834019\LICENSE	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_109834019\manifest.fingerprint	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_1346644256\manifest.fingerprint	chrome.exe
File created	C:\Windows\SystemTemp\Google892_1420803197\UPDATER.PACKED.7Z	ChromeSetup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\2f9db79c-2877-476e-aa94-2736b2f88777.tmp	updater.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_109834019\manifest.json	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\CHROME.PACKED.7Z	130.0.6723.119_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_1346644256\manifest.json	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_1346644256\_metadata\verified_contents.json	chrome.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\Google892_1006734886\bin\uninstall.cmd	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Google892_1006734886\bin\updater.exe	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5012_2006640847\-8a69d345-d564-463c-aff1-a69d9e530f96-_130.0.6723.119_all_epsriw5timt4kztbpr6zq4zpai.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\manifest.fingerprint	updater.exe
File opened for modification	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe	130.0.6723.119_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_109834019\crl-set	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_1346644256\Filtering Rules	chrome.exe
File created	C:\Windows\SystemTemp\Google892_1006734886\updater.7z	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1912_1346644256\LICENSE.txt	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\SETUP.EX_	130.0.6723.119_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Start11v2-setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\StartIsBackPlusPlus_setup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

6724 7204 WerFault.exe SdDisplay.exe
6028 8568 WerFault.exe SdDisplay.exe
3504 4576 WerFault.exe SdDisplay.exe

pid	pid_target	process	target process
6724	7204	WerFault.exe	SdDisplay.exe
6028	8568	WerFault.exe	SdDisplay.exe
3504	4576	WerFault.exe	SdDisplay.exe

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

StartIsBackCfg.exeSdDisplay.exeupdater.exeStart11Config.exeStartIsBackPlusPlus_setup.exeStartIsBackCfg.exetaskkill.exetaskkill.exeStartIsBackCfg.exeupdater.exeStart11Srv.exeStart11Config.exetaskkill.exeChromeSetup.exeupdater.exeupdater.execmd.exeStart11Config.exetaskkill.exeupdater.exeupdater.exeirsetup.exetaskkill.exeStartIsBackCfg.exeSdDisplay.exetaskkill.exetaskkill.execmd.exeStartScreen.exeupdater.exeupdater.exeGetMachineSID.exeUltraUXThemePatcher_4.4.3.exestartscreen.exeStartScreen.exeregsvr32.exeStart11Config.exeSdDisplay.exereg.exeupdater.exeupdater.exeStart11Config.exeupdater.exeupdater.exeDllHost.exeupdater.exeStart11Config.exeDllHost.exeDllHost.exeStart11v2-setup.exeStartScreen.exeupdater.exeStart11Srv.exeUpdateCheck.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdDisplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackPlusPlus_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdDisplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetMachineSID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraUXThemePatcher_4.4.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdDisplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11v2-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

setup.exe130.0.6723.119_chrome_installer.exe

pid process

5272 setup.exe
3528 130.0.6723.119_chrome_installer.exe

pid	process
5272	setup.exe
3528	130.0.6723.119_chrome_installer.exe

Checks SCSI registry key(s) 3 TTPs 63 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004c79797f2efc73ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004c79797f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004c79797f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4c79797f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004c79797f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exeSearchHost.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

7044 taskkill.exe
1392 taskkill.exe
7392 taskkill.exe
1056 taskkill.exe
2416 taskkill.exe
4140 taskkill.exe
7580 taskkill.exe

pid	process
7044	taskkill.exe
1392	taskkill.exe
7392	taskkill.exe
1056	taskkill.exe
2416	taskkill.exe
4140	taskkill.exe
7580	taskkill.exe

Modifies Control Panel 21 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\ = "Windows Standard (large)"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Crosshair = "%SystemRoot%\\cursors\\cross_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\size3_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\size1_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\arrow_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\busy_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Hand	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\person_m.cur"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\UserPreferencesMask = 9012038010000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\IBeam = "%SystemRoot%\\cursors\\beam_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\pen_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\no_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\size2_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\pin_m.cur"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\help_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\wait_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNS = "%SystemRoot%\\cursors\\size4_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\move_m.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\up_m.cur"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

Processes:

explorer.exeSdDisplay.exeSdDisplay.exeSdDisplay.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SdDisplay.exe = "11001"	SdDisplay.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\SdDisplay.exe = "1"	SdDisplay.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

setup.exechrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764210337940331"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

Processes:

updater.exeStartIsBackCfg.exeexplorer.exesetup.exechrome.exeexplorer.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6806.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6806.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\ = "{34527502-D3DB-4205-A69B-789B27EE0414}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\Application\AppUserModelId = "Chrome"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\ = "Taskbar Pin"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{0C3794F3-B545-43AA-A329-C37430C58D2A}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ = "IPolicyStatus4System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\ = "{8476CE12-AE1F-4198-805C-BA0F9B783F57}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6806.0\\updater.exe\\6"	updater.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ = "IPolicyStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ = "IAppCommandWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.AppsFolder\Shell\Delete	StartIsBackCfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13485"	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6806.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib	updater.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

chrome.exeStartIsBackCfg.exeStart11Config.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Start11Config.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	StartIsBackCfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	StartIsBackCfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Start11Config.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Start11Config.exe

NTFS ADS 6 IoCs

Processes:

Start11Config.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Stardock\Start10Ctrlpnl\Delivery Optimization Settings: Allow downloads from other PCs.lnk	Start11Config.exe
File opened for modification	C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\StartIsBackPlusPlus_setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Start11v2-setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\img0.jpg:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

7796 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exe

pid process

1360 explorer.exe
1360 explorer.exe

pid	process
7796	schtasks.exe

pid	process
1360	explorer.exe
1360	explorer.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

chrome.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exechrome.exeupdater.exechrome.exeupdater.exeupdater.exeupdater.exeSdDisplay.exeSdDisplay.exeexplorer.exeSdDisplay.exe

pid	process
1908	chrome.exe
1908	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
432	chrome.exe
432	chrome.exe
4744	updater.exe
4744	updater.exe
4744	updater.exe
4744	updater.exe
4744	updater.exe
4744	updater.exe
4728	updater.exe
4728	updater.exe
4728	updater.exe
4728	updater.exe
4728	updater.exe
4728	updater.exe
5012	updater.exe
5012	updater.exe
5012	updater.exe
5012	updater.exe
5012	updater.exe
5012	updater.exe
1912	chrome.exe
1912	chrome.exe
4456	updater.exe
4456	updater.exe
4456	updater.exe
4456	updater.exe
5504	chrome.exe
5504	chrome.exe
8980	updater.exe
8980	updater.exe
8980	updater.exe
8980	updater.exe
9000	updater.exe
9000	updater.exe
9000	updater.exe
9000	updater.exe
9036	updater.exe
9036	updater.exe
9036	updater.exe
9036	updater.exe
9036	updater.exe
9036	updater.exe
7204	SdDisplay.exe
7204	SdDisplay.exe
7204	SdDisplay.exe
7204	SdDisplay.exe
8568	SdDisplay.exe
8568	SdDisplay.exe
8568	SdDisplay.exe
8568	SdDisplay.exe
8716	explorer.exe
8716	explorer.exe
4576	SdDisplay.exe
4576	SdDisplay.exe
4576	SdDisplay.exe
4576	SdDisplay.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exeStartIsBackCfg.exeexplorer.exe

pid process

1360 explorer.exe
3768 StartIsBackCfg.exe
8716 explorer.exe

pid	process
1360	explorer.exe
3768	StartIsBackCfg.exe
8716	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2588	firefox.exe
Token: SeDebugPrivilege	2588	firefox.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exeexplorer.exechrome.exe

pid	process
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
2588	firefox.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1908	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeexplorer.exe

pid	process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

firefox.exeStart11v2-setup.exeirsetup.exeGetMachineSID.exechrome.exeStart11_64.exeStart11_64.exeStart11Config.exeStart11Config.exeStart11Config.exeStart11Config.exeSdDisplay.exeStart11Config.exeSdDisplay.exeUltraUXThemePatcher_4.4.3.exeStart11Config.exeexplorer.exeSdDisplay.exeSearchHost.exeStartMenuExperienceHost.exe

pid	process
2588	firefox.exe
6564	Start11v2-setup.exe
8116	irsetup.exe
8116	irsetup.exe
8116	irsetup.exe
8336	GetMachineSID.exe
8116	irsetup.exe
7604	chrome.exe
8116	irsetup.exe
8116	irsetup.exe
7728	Start11_64.exe
1840	Start11_64.exe
1840	Start11_64.exe
4740	Start11Config.exe
4740	Start11Config.exe
6568	Start11Config.exe
6568	Start11Config.exe
3208	Start11Config.exe
3208	Start11Config.exe
836	Start11Config.exe
836	Start11Config.exe
836	Start11Config.exe
7204	SdDisplay.exe
7204	SdDisplay.exe
8344	Start11Config.exe
8344	Start11Config.exe
8344	Start11Config.exe
8568	SdDisplay.exe
8568	SdDisplay.exe
6788	UltraUXThemePatcher_4.4.3.exe
8420	Start11Config.exe
8420	Start11Config.exe
8420	Start11Config.exe
8716	explorer.exe
4576	SdDisplay.exe
4576	SdDisplay.exe
840	SearchHost.exe
6068	StartMenuExperienceHost.exe
8716	explorer.exe
8716	explorer.exe
8716	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 3524 wrote to memory of 2588	3524	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 4552	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe
PID 2588 wrote to memory of 2840	2588	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://greggman.com/downloads/examples/html5bytebeat/html5bytebeat.html#t=0&e=0&s=8000&bb=5d00000100d8000000000000000017e07c448a369a0fb84fd64c3680f0b757a25bd766d62696e767c8dd550588c4247b59701e0e8da7fac3eb2ef42618bcfee305a8794a84de090a58b4c2afae4dea361455b6e322a8c5ae9d4560337fcc00c84b7d301a79c3553e3be93807fbfd1e28d151964b29e2b16affe9b8ee12a6db921233daac18f14850deee365ac8ad2e5de190238336358a2653ceff4b62a8467a0c3aff7f3758cb11042da65e8941ffff4b429d00"
1⤵
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://greggman.com/downloads/examples/html5bytebeat/html5bytebeat.html#t=0&e=0&s=8000&bb=5d00000100d8000000000000000017e07c448a369a0fb84fd64c3680f0b757a25bd766d62696e767c8dd550588c4247b59701e0e8da7fac3eb2ef42618bcfee305a8794a84de090a58b4c2afae4dea361455b6e322a8c5ae9d4560337fcc00c84b7d301a79c3553e3be93807fbfd1e28d151964b29e2b16affe9b8ee12a6db921233daac18f14850deee365ac8ad2e5de190238336358a2653ceff4b62a8467a0c3aff7f3758cb11042da65e8941ffff4b429d00
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de65be21-3825-4403-bafc-4876475faa20} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" gpu
    3⤵
    PID:4552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {645a6379-e092-4152-99e5-3f4a3e0bbe1c} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" socket
    3⤵
    - Checks processor information in registry
    PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c653c999-74bb-4ca2-b1ee-95af93778542} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2928 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a078a7-f7e0-42c9-b757-0b54dfe6caa3} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
    3⤵
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ac81dc-7181-4ee8-8280-f6423adbf04c} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" utility
    3⤵
    - Checks processor information in registry
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5df8de6a-59d0-46bf-8a4d-646dea285ee8} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0761d7-d757-4d04-9943-6b0c77d7fffb} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
    3⤵
    PID:3428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85018bd-a992-49f2-b00f-73c2f5f25b66} 2588 "\\.\pipe\gecko-crash-server-pipe.2588" tab
    3⤵
    PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe4,0x84,0x7ff9f234cc40,0x7ff9f234cc4c,0x7ff9f234cc58
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3536,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4664,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:2
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1452,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=1100,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5792
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7acb14698,0x7ff7acb146a4,0x7ff7acb146b0
    3⤵
    - Drops file in Windows directory
    PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4812,i,6018306634698700075,4003137903306279167,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4024
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7acb14698,0x7ff7acb146a4,0x7ff7acb146b0
    3⤵
    - Drops file in Windows directory
    PID:1960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:656

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
PID:3188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1360
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,,2
  2⤵
  PID:5332
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:personalization
    3⤵
    PID:5364

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5396

C:\Windows\system32\systempropertiesadvanced.exe
"C:\Windows\system32\systempropertiesadvanced.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f234cc40,0x7ff9f234cc4c,0x7ff9f234cc58
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5112,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4588,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5544,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5536,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5784,i,9781666659871776094,3558960084405548650,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4576
- C:\Users\Admin\Downloads\ChromeSetup.exe
  "C:\Users\Admin\Downloads\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:892
- - C:\Windows\SystemTemp\Google892_1006734886\bin\updater.exe
    "C:\Windows\SystemTemp\Google892_1006734886\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A7DAFAF9-1DDA-2B11-E914-61D104141484}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
  - - C:\Windows\SystemTemp\Google892_1006734886\bin\updater.exe
      C:\Windows\SystemTemp\Google892_1006734886\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0xc34400,0xc3440c,0xc34418
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3868

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4728
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5048

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5012
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\130.0.6723.119_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\130.0.6723.119_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\2f9db79c-2877-476e-aa94-2736b2f88777.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3528
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\2f9db79c-2877-476e-aa94-2736b2f88777.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    PID:5272
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff77e94ec28,0x7ff77e94ec34,0x7ff77e94ec40
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:920
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:4748
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5012_631944933\CR_939B1.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff77e94ec28,0x7ff77e94ec34,0x7ff77e94ec40
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5328
- C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2176
- - C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.119 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff7ee44ec28,0x7ff7ee44ec34,0x7ff7ee44ec40
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:6052
- - C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5440
  - - C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\130.0.6723.119\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7ee44ec28,0x7ff7ee44ec34,0x7ff7ee44ec40
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f2a77c38,0x7ff9f2a77c44,0x7ff9f2a77c50
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1920,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2152,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=2160 /prefetch:11
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2344,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=2360 /prefetch:13
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4308 /prefetch:9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4932,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5472,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5412 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3800,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4420,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4328 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4408,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=1484 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3508,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5780,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4176,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4832,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4828 /prefetch:10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=2272,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4848,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=5940 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3804,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4664,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6276,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6564,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6496,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6520,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6976,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7144,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7260,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7160,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7544,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7564 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7712,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7852,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=8068,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=8180,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7856 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8204,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8188 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=8512,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8484,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8612 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8764,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8224,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8908 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8748,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9036 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=7140,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8944 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8156,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=5884,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7332 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=4924,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=7172,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7188 /prefetch:12
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=7344,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=7324,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=7032,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9168,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9204,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9336 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9488,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9512 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9656,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9664 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9820,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9676 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=9976,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9832 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=10112,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10012 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10276,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10288 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=10840,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10816 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10820,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10756 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=10576,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10968 /prefetch:1
  2⤵
  PID:6452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=11096,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10620 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=11140,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10664 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11212,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11252 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=11216,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11404 /prefetch:1
  2⤵
  PID:6772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=6152,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11540 /prefetch:1
  2⤵
  PID:6896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=11156,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11548 /prefetch:1
  2⤵
  PID:6904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=11796,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11420 /prefetch:1
  2⤵
  PID:7008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=10996,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12080 /prefetch:1
  2⤵
  PID:7064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=11928,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11756 /prefetch:1
  2⤵
  PID:7140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=11964,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12004 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=11800,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12444 /prefetch:1
  2⤵
  PID:6892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=13464,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13420 /prefetch:1
  2⤵
  PID:7200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=13456,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12916 /prefetch:1
  2⤵
  PID:7208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=13476,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13292 /prefetch:1
  2⤵
  PID:7216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=13160,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13188 /prefetch:1
  2⤵
  PID:7224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=13176,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12976 /prefetch:1
  2⤵
  PID:7232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=11924,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12860 /prefetch:1
  2⤵
  PID:7560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=12664,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12612 /prefetch:1
  2⤵
  PID:7752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=13516,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12872 /prefetch:1
  2⤵
  PID:7844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=13640,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13056 /prefetch:1
  2⤵
  PID:7984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=13632,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13800 /prefetch:1
  2⤵
  PID:8040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=13648,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13920 /prefetch:1
  2⤵
  PID:8048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=14108,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13660 /prefetch:1
  2⤵
  PID:8156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=14132,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14256 /prefetch:1
  2⤵
  PID:7456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=14380,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14396 /prefetch:1
  2⤵
  PID:7484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=14048,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14104 /prefetch:1
  2⤵
  PID:7532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=14664,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14680 /prefetch:1
  2⤵
  PID:7544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=14840,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14712 /prefetch:1
  2⤵
  PID:7724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=14980,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14988 /prefetch:1
  2⤵
  PID:7748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=14372,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15128 /prefetch:1
  2⤵
  PID:7964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=15168,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15284 /prefetch:1
  2⤵
  PID:8200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=15476,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15144 /prefetch:1
  2⤵
  PID:8376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=15500,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14248 /prefetch:1
  2⤵
  PID:8388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=15720,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14056 /prefetch:1
  2⤵
  PID:8444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=15680,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15868 /prefetch:1
  2⤵
  PID:8520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=14532,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15832 /prefetch:1
  2⤵
  PID:8592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=15040,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=16108 /prefetch:1
  2⤵
  PID:8644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=15788,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15172 /prefetch:1
  2⤵
  PID:9188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=14408,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15784 /prefetch:1
  2⤵
  PID:9208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=15792,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15116 /prefetch:1
  2⤵
  PID:7204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=3080,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15000 /prefetch:1
  2⤵
  PID:6884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=12624,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12596 /prefetch:1
  2⤵
  PID:7296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=13112,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12996 /prefetch:1
  2⤵
  PID:8148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=13252,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12012 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=12632,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15104 /prefetch:1
  2⤵
  PID:7460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=14824,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15764 /prefetch:14
  2⤵
  PID:8552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --field-trial-handle=12912,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13872 /prefetch:1
  2⤵
  PID:9096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --field-trial-handle=13040,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13108 /prefetch:1
  2⤵
  PID:7324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --field-trial-handle=12644,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13108 /prefetch:1
  2⤵
  PID:6616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --field-trial-handle=15044,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13340 /prefetch:1
  2⤵
  PID:8396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --field-trial-handle=12996,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14680 /prefetch:1
  2⤵
  PID:8996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --field-trial-handle=12576,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13480 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --field-trial-handle=13472,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13256 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12672,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15096 /prefetch:14
  2⤵
  PID:9188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --field-trial-handle=5676,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12240 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --field-trial-handle=13828,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=12616 /prefetch:1
  2⤵
  PID:6816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --field-trial-handle=13880,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10700 /prefetch:1
  2⤵
  PID:9096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --field-trial-handle=11888,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11836 /prefetch:1
  2⤵
  PID:8540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11008,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10992 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7504
- C:\Users\Admin\Downloads\Start11v2-setup.exe
  "C:\Users\Admin\Downloads\Start11v2-setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6564
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1936418 "__IRAFN:C:\Users\Admin\Downloads\Start11v2-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-556537508-2730415644-482548075-1000"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8116
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:8336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock ModernMix.lnk" & echo found)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" (del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock\Stardock Start11.lnk" & echo found)
      4⤵
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
      "C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe" -install
      4⤵
      System Location Discovery: System Language Discovery
      PID:6708
    - - C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
        
        "C:\Program Files (x86)\Stardock\Start11\Start11_64.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1840
  - - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
      "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" INSTALL
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4740
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:468
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Stardock\Start11\Start10Shell64.dll"
        5⤵
        Modifies system executable filetype association
        
        PID:7384
  - - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
      "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" FIXSEARCH
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6568
  - - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
      "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe" REBUILDSEARCH
      4⤵
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8216,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=14752 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:7604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13460,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11896 /prefetch:14
  2⤵
  - NTFS ADS
  PID:8204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --field-trial-handle=3332,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=13044 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --field-trial-handle=7040,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11972 /prefetch:1
  2⤵
  PID:6816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --field-trial-handle=6528,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9624 /prefetch:1
  2⤵
  PID:8240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --field-trial-handle=10104,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:8792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --field-trial-handle=8096,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:7216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --field-trial-handle=11452,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10884 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --field-trial-handle=10908,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9492 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --field-trial-handle=9416,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=9508 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --field-trial-handle=11504,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11100 /prefetch:1
  2⤵
  PID:8500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --field-trial-handle=5716,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=15224 /prefetch:1
  2⤵
  PID:7572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --field-trial-handle=6636,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=11236 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --field-trial-handle=11428,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8824 /prefetch:1
  2⤵
  PID:8876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --field-trial-handle=8852,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=10244 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --field-trial-handle=13792,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --field-trial-handle=7088,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --field-trial-handle=9484,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4656,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7796 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1176
- C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe
  "C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6788
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6348
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6924
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2188
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:7664
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:9156
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:9024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --field-trial-handle=212,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7796 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8620,i,1154966882993058412,2932493974403491938,262144 --variations-seed-version=20241117-180246.704000 --mojo-platform-channel-handle=7700 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6172
- C:\Users\Admin\Downloads\StartIsBackPlusPlus_setup.exe
  "C:\Users\Admin\Downloads\StartIsBackPlusPlus_setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8836
- - C:\Users\Admin\AppData\Local\Temp\SIBSFX.A67E0284\StartIsBackCfg.exe
    "C:\Users\Admin\AppData\Local\Temp\SIBSFX.A67E0284\StartIsBackCfg.exe" /install
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7320
  - - C:\Users\Admin\AppData\Local\Temp\SIBSFX.A67E0284\StartIsBackCfg.exe
      "C:\Users\Admin\AppData\Local\Temp\SIBSFX.A67E0284\StartIsBackCfg.exe" /install /elevated
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\SIBSFX.A67E0284\startscreen.exe
        
        startscreen.exe /stop
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM startscreen*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:7580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:7044
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM explorer*
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:7392
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:7796
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Enumerates connected drives
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:8716
    - - C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
        
        "C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8420
      - C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
        
        "C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=8420 -prodVer="2.1.1.0" -ResponsePipe=1448 -ownerWnd=000F0408
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 2280
        7⤵
        Program crash
        
        PID:3504
    - - C:\Program Files (x86)\StartIsBack\StartScreen.exe
        
        "C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin
        5⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:4864
    - - C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
        
        "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9184
    - - C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe
        
        "C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe" /welcome
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7588
      - C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe
        
        "C:\Program Files (x86)\StartIsBack\\StartIsBackCfg.exe" /appearance
        6⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3768
    - - C:\Program Files (x86)\StartIsBack\StartScreen.exe
        
        "C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin
        5⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:6104
    - - C:\Program Files (x86)\StartIsBack\StartScreen.exe
        
        "C:\Program Files (x86)\StartIsBack\StartScreen.exe" /unpin
        5⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:1068

C:\Program Files\Google\Chrome\Application\130.0.6723.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\130.0.6723.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4456
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D4
1⤵
PID:2272

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --wake --system
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8980
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:9000
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9004

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:9036
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6806.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6806.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x6b4400,0x6b440c,0x6b4418
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8424

C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Srv.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:8912
- C:\Program Files (x86)\Stardock\Start11\Start11_64.exe
  "C:\Program Files (x86)\Stardock\Start11\Start11_64.exe" START
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7728

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:836
- C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
  "C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=836 -prodVer="2.1.1.0" -ResponsePipe=1508 -ownerWnd=00040356
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:7204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 2304
    3⤵
    - Program crash
    PID:6724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7204 -ip 7204
1⤵
PID:6644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:764

C:\Program Files (x86)\Stardock\Start11\Start11Config.exe
"C:\Program Files (x86)\Stardock\Start11\Start11Config.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:8344
- C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe
  "C:\Program Files (x86)\Stardock\Start11\SdDisplay.exe" -prodId=2674 -ProdName="Start11" -company="Stardock" -forceUi="Welcome" -parentPid=8344 -prodVer="2.1.1.0" -ResponsePipe=1564 -ownerWnd=00040380
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:8568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8568 -s 2296
    3⤵
    - Program crash
    PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8568 -ip 8568
1⤵
PID:9008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D4
1⤵
PID:5632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:7864

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2484

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4576 -ip 4576
1⤵
PID:7820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:7712

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl ,1
1⤵
- Modifies Control Panel
PID:5380

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5104

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\mmsys.cpl ,2
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery