quasar | 37b5e44f7394fbc1263d053482c71406e8dcac97ede0f682750941227868a186

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742494430078255"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\latest.ver.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3932	schtasks.exe
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
3856	chrome.exe
3856	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
3856	chrome.exe
3856	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1592	MiniSearchHost.exe
3264	Windowupdata.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4356	1184	cmd.exe	81
PID 1184 wrote to memory of 4356	1184	cmd.exe	81
PID 4900 wrote to memory of 3572	4900	chrome.exe	86
PID 4900 wrote to memory of 3572	4900	chrome.exe	86
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2868	4900	chrome.exe	87
PID 4900 wrote to memory of 2076	4900	chrome.exe	88
PID 4900 wrote to memory of 2076	4900	chrome.exe	88
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89
PID 4900 wrote to memory of 4512	4900	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lowx ULP (3).txt"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Lowx ULP (3).txt
  2⤵
  PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffe3133cc40,0x7ffe3133cc4c,0x7ffe3133cc58
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1976,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5108,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5028,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4516,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4592,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4860,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3472,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5328,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3284,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5292,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4948
- C:\Users\Admin\Downloads\latest.ver.exe
  "C:\Users\Admin\Downloads\latest.ver.exe"
  2⤵
  - Executes dropped EXE
  PID:996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "windowupdata" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windowupdata.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3932
- - C:\Users\Admin\AppData\Roaming\SubDir\Windowupdata.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windowupdata.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3264
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "windowupdata" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windowupdata.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4948,i,17908690104942229099,7765307325520155156,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3004

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3576

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery