a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
604	4844	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
6044	NoEscape.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
573	raw.githubusercontent.com
604	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBuddy432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "4"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876589703036326"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1216697136-3907990103-1733992739-1000\{218B117E-86AE-43AC-9CF4-5B1C6878A6BF}	chrome.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bon.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	chrome.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5060	AutoClicker-3.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4872	BonziBuddy432.exe
5352	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 924	912	chrome.exe	81
PID 912 wrote to memory of 924	912	chrome.exe	81
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4844	912	chrome.exe	83
PID 912 wrote to memory of 4844	912	chrome.exe	83
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 4860	912	chrome.exe	82
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84
PID 912 wrote to memory of 8	912	chrome.exe	84

System policy modification 1 TTPs 5 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd591bdcf8,0x7ffd591bdd04,0x7ffd591bdd10
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1496,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2212 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2372 /prefetch:13
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3436,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4180 /prefetch:9
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5288 /prefetch:14
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5664,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5680,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5644 /prefetch:14
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5724,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5836 /prefetch:14
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5312,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4676 /prefetch:14
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5316,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3448 /prefetch:14
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5832,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3508,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5296,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5644,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5516,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6260,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6256,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6412 /prefetch:14
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6384,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6444 /prefetch:14
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6420,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6476 /prefetch:14
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5508,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4776 /prefetch:9
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4636,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3552,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5976,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6336,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5640,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5604,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=3660,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6120,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6128,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6280,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4716,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6884,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --init-isolate-as-foreground --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6880,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7056 /prefetch:9
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --pdf-renderer --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6936,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=4708,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=4768,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6148,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=6980,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=4296,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6072,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=7060,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6924,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=4244,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=3316,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=4312,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=7284,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7252 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=7384,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=7200,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=7188,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7324 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7236,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7540 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=7880,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7700 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=7980,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7988 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=7872,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4516,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7540 /prefetch:14
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=7612,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=7688 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=8276,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8392 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=8412,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8420 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=8644,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8620 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=8360,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8792 /prefetch:12
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=8592,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8752 /prefetch:14
  2⤵
  - Modifies registry class
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=8108,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=8936 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=9180,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=9168 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7920,i,8612713014063774265,5282216487698997569,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3876 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5088
- C:\Users\Admin\Downloads\NoEscape.exe
  "C:\Users\Admin\Downloads\NoEscape.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - NTFS ADS
  - System policy modification
  PID:6044

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\Temp1_Bon.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bon.zip\BonziBuddy432.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e6855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry