fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	SMΔRTP.exe
File opened (read-only)	\??\G:	SMΔRTP.exe
File opened (read-only)	\??\H:	SMΔRTP.exe
File opened (read-only)	\??\I:	SMΔRTP.exe
File opened (read-only)	\??\J:	SMΔRTP.exe
File opened (read-only)	\??\K:	SMΔRTP.exe
File opened (read-only)	\??\X:	SMΔRTP.exe
File opened (read-only)	\??\M:	SMΔRTP.exe
File opened (read-only)	\??\B:	SMΔRTP.exe
File opened (read-only)	\??\O:	SMΔRTP.exe
File opened (read-only)	\??\W:	SMΔRTP.exe
File opened (read-only)	\??\R:	SMΔRTP.exe
File opened (read-only)	\??\E:	SMΔRTP.exe
File opened (read-only)	\??\I:	SMΔRTP.exe
File opened (read-only)	\??\N:	SMΔRTP.exe
File opened (read-only)	\??\O:	SMΔRTP.exe
File opened (read-only)	\??\Q:	SMΔRTP.exe
File opened (read-only)	\??\T:	SMΔRTP.exe
File opened (read-only)	\??\V:	SMΔRTP.exe
File opened (read-only)	\??\N:	SMΔRTP.exe
File opened (read-only)	\??\Y:	SMΔRTP.exe
File opened (read-only)	\??\Z:	SMΔRTP.exe
File opened (read-only)	\??\A:	SMΔRTP.exe
File opened (read-only)	\??\L:	SMΔRTP.exe
File opened (read-only)	\??\P:	SMΔRTP.exe
File opened (read-only)	\??\Z:	SMΔRTP.exe
File opened (read-only)	\??\P:	SMΔRTP.exe
File opened (read-only)	\??\S:	SMΔRTP.exe
File opened (read-only)	\??\V:	SMΔRTP.exe
File opened (read-only)	\??\H:	SMΔRTP.exe
File opened (read-only)	\??\M:	SMΔRTP.exe
File opened (read-only)	\??\T:	SMΔRTP.exe
File opened (read-only)	\??\E:	SMΔRTP.exe
File opened (read-only)	\??\K:	SMΔRTP.exe
File opened (read-only)	\??\W:	SMΔRTP.exe
File opened (read-only)	\??\L:	SMΔRTP.exe
File opened (read-only)	\??\Q:	SMΔRTP.exe
File opened (read-only)	\??\U:	SMΔRTP.exe
File opened (read-only)	\??\B:	SMΔRTP.exe
File opened (read-only)	\??\J:	SMΔRTP.exe
File opened (read-only)	\??\S:	SMΔRTP.exe
File opened (read-only)	\??\U:	SMΔRTP.exe
File opened (read-only)	\??\Y:	SMΔRTP.exe
File opened (read-only)	\??\R:	SMΔRTP.exe
File opened (read-only)	\??\G:	SMΔRTP.exe
File opened (read-only)	\??\X:	SMΔRTP.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SMADAV\unins000.dat	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-IU9JF.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-A8ON3.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-0J071.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-980UP.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-E5411.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-8G38E.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-EJ775.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-CFT4E.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-MNB23.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-H7QEN.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-42PDJ.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-1QQRB.tmp	smadav2024rev152.tmp
File created	C:\Program Files (x86)\SMADAV\is-K22J3.tmp	smadav2024rev152.tmp
File opened for modification	C:\Program Files (x86)\SMADAV\unins000.dat	smadav2024rev152.tmp

Executes dropped EXE 6 IoCs

pid	Process
2288	smadav2024rev152.exe
1996	smadav2024rev152.tmp
1524	SMΔRTP.exe
1040	SmadavProtect64.exe
1104	Process not Found
2364	SMΔRTP.exe

Loads dropped DLL 18 IoCs

pid	Process
2528	AnyDesk.exe
2376	AnyDesk.exe
2288	smadav2024rev152.exe
1996	smadav2024rev152.tmp
1996	smadav2024rev152.tmp
1996	smadav2024rev152.tmp
1996	smadav2024rev152.tmp
1996	smadav2024rev152.tmp
1996	smadav2024rev152.tmp
2980	regsvr32.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1040	SmadavProtect64.exe
1220	Process not Found
2568	chrome.exe
1636	chrome.exe
2364	SMΔRTP.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMΔRTP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMΔRTP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smadav2024rev152.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smadav2024rev152.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0471d46584fdb01	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070e61a46584fdb01	AnyDesk.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt\ = "{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ = "C:\\Program Files (x86)\\SMADAV\\SmadExtMenu64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SmadExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SmadExt\ = "{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\ = "SmadExt Class"	regsvr32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
900	schtasks.exe
2292	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2528	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	AnyDesk.exe
2568	chrome.exe
2568	chrome.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	AnyDesk.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2140	AnyDesk.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
1996	smadav2024rev152.tmp
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2528	AnyDesk.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2140	AnyDesk.exe
2140	AnyDesk.exe
1524	SMΔRTP.exe
1524	SMΔRTP.exe
1040	SmadavProtect64.exe
2364	SMΔRTP.exe
2364	SMΔRTP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2376	2092	AnyDesk.exe	30
PID 2092 wrote to memory of 2376	2092	AnyDesk.exe	30
PID 2092 wrote to memory of 2376	2092	AnyDesk.exe	30
PID 2092 wrote to memory of 2376	2092	AnyDesk.exe	30
PID 2092 wrote to memory of 2528	2092	AnyDesk.exe	31
PID 2092 wrote to memory of 2528	2092	AnyDesk.exe	31
PID 2092 wrote to memory of 2528	2092	AnyDesk.exe	31
PID 2092 wrote to memory of 2528	2092	AnyDesk.exe	31
PID 2568 wrote to memory of 2556	2568	chrome.exe	39
PID 2568 wrote to memory of 2556	2568	chrome.exe	39
PID 2568 wrote to memory of 2556	2568	chrome.exe	39
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 860	2568	chrome.exe	41
PID 2568 wrote to memory of 1284	2568	chrome.exe	42
PID 2568 wrote to memory of 1284	2568	chrome.exe	42
PID 2568 wrote to memory of 1284	2568	chrome.exe	42
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43
PID 2568 wrote to memory of 1152	2568	chrome.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2528

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef50d9758,0x7fef50d9768,0x7fef50d9778
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:2
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1332 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:2
  2⤵
  PID:292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1408 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3712 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=656 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1124 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1972 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1808 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2060 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3872 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4276 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4304 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4456 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4416 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Users\Admin\Downloads\smadav2024rev152.exe
  "C:\Users\Admin\Downloads\smadav2024rev152.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\is-7A96J.tmp\smadav2024rev152.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7A96J.tmp\smadav2024rev152.tmp" /SL5="$902B4,1886246,133120,C:\Users\Admin\Downloads\smadav2024rev152.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1996
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\SMADAV\SmadExtMenu64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2980
  - - C:\Program Files (x86)\SMADAV\SMΔRTP.exe
      "C:\Program Files (x86)\SMADAV\SMΔRTP.exe" rtc
      4⤵
      Adds Run key to start application
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn "smadav" /xml "C:\Users\Admin\AppData\Roaming\Smadav\smadav.xml"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
    - - C:\Program Files (x86)\Smadav\SmadavProtect64.exe
        
        "C:\Program Files (x86)\Smadav\SmadavProtect64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1040
    - - C:\Program Files (x86)\Smadav\SMΔRTP.exe
        
        "C:\Program Files (x86)\Smadav\SMΔRTP.exe"
        5⤵
        Enumerates connected drives
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Smadav\SmadExtc64.dll"
        5⤵
        
        PID:1696
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Smadav\SmadExtc64.dll"
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn "SmadavSecondaryUpdater" /xml "C:\Users\Admin\AppData\Roaming\Smadav\SmadavSecondaryUpdater.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=904 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2536 --field-trial-handle=1236,i,9690894931413580563,81851767980249180,131072 /prefetch:1
  2⤵
  PID:2084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
PID:3668
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs
  2⤵
  PID:3876

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showgadgets
1⤵
PID:3576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:316

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef50d9758,0x7fef50d9768,0x7fef50d9778
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1252 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1216,i,13767265443399081094,6722434525523464442,131072 /prefetch:8
  2⤵
  PID:3832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3160

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",
1⤵
PID:3196
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",
  2⤵
  PID:2536
- - C:\Windows\System32\SystemPropertiesComputerName.exe
    "C:\Windows\System32\SystemPropertiesComputerName.exe"
    3⤵
    PID:2248

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2728
- C:\Windows\System32\perfmon.exe
  "C:\Windows\System32\perfmon.exe" /res
  2⤵
  PID:300

C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon
1⤵
PID:2364
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1328
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1328
    3⤵
    PID:2736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3364
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:1736
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery