fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{804e7d66-ccc2-4c12-84ba-476da31d103d} = "\"C:\\ProgramData\\Package Cache\\{804e7d66-ccc2-4c12-84ba-476da31d103d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Downloads MZ/PE file

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\text-freetype2\locale\ja-JP.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\locales\vi.pak	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-filters\locale\id-ID.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-outputs\locale\mn-MN.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-wasapi\locale\id-ID.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-wasapi\locale\tl-PH.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\obs-plugins\64bit\chrome_elf.dll	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\coreaudio-encoder\locale\hr-HR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\decklink\locale\mn-MN.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\decklink\locale\szl-PL.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\image-source\locale\da-DK.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\public-types\ObjectListeners.d.ts.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\decklink\locale\da-DK.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-browser\locale\uk-UA.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-transitions\luma_wipes\barndoor-h.png	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\text-freetype2\locale\nl-NL.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\vlc-video\locale\bn-BD.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\app-services\FunctionsFactory.js	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\public-types\app-services\SyncConfiguration.d.ts.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-text	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-transitions\luma_wipes\linear-topright.png	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-x264\locale\oc-FR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\vlc-video\locale\sr-SP.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-capture\locale\de-DE.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-dshow\locale\ka-GE.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\obs-plugins\64bit\obs-browser.dll	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\vulkan-1.dll	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\decklink\locale\en-GB.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\enc-amf\locale\hu-HU.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-outputs\locale\zh-TW.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\text-freetype2\locale\ka-GE.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\Object.js.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\public-types\app-services\PushClient.d.ts.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\color-picker\main.js	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\enc-amf\locale\vi-VN.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\rtmp-services\locale\nl-NL.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\rtmp-services\locale\ro-RO.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\text-freetype2\locale\gd-GB.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\public-types\Results.d.ts.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-outputs\locale\nb-NO.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-dshow\locale\tl-PH.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-streamlabs-vst\locale\eu-ES.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-wasapi\locale\be-BY.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\react-native\ios\realm-js-ios.xcframework\ios-arm64\Headers	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-browser\locale\id-ID.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-streamlabs-vst\locale\pt-BR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-outputs\locale\fr-FR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-streamlabs-vst\locale\kab-KAB.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\image-source\locale\vi-VN.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\avutil-58.dll	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-filters\locale\ro-RO.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-vst\locale\de-DE.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-browser-page\locale\ta-IN.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\async-iterator-from-response.js.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\dist\public-types\Types.d.ts.map	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-streamlabs-vst	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\realm\react-native\android\src\main\java\io\realm	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\decklink\locale\sq-AL.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\enc-amf\locale\el-GR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\enc-amf\locale\en-US.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\win-dshow\locale\pt-BR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-browser\locale\eo-UY.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-outputs\locale\ro-RO.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File created	C:\Program Files\Streamlabs OBS\resources\app.asar.unpacked\node_modules\obs-studio-node\data\obs-plugins\obs-transitions\locale\hr-HR.ini	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5F9A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF825B63BE22901F32.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Installer\e635e71.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0361AFD6B00BE39A.TMP	msiexec.exe
File created	C:\Windows\Installer\e635e84.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF99CA1EB32F6C07E2.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e635e83.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e635e84.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCE2DBABEE43E524B.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6037.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF676C25C9550C5A70.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2CDB52A9D03B3EFE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61BF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0487DFD3FD99F094.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e635e71.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}	msiexec.exe
File created	C:\Windows\Installer\e635e99.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6251168BFC2BA681.TMP	msiexec.exe

Executes dropped EXE 16 IoCs

pid	Process
5004	OneDriveSetup.exe
3352	OneDriveSetup.exe
3504	FileSyncConfig.exe
2140	OneDrive.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
6276	vc_redist.x64.exe
6300	vc_redist.x64.exe
6568	VC_redist.x64.exe
5080	Streamlabs OBS.exe
6420	Streamlabs OBS.exe
6440	Streamlabs OBS.exe
7148	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5488	Streamlabs OBS.exe
1588	Streamlabs OBS.exe
3828	Streamlabs OBS.exe
7720	Streamlabs OBS.exe

Loads dropped DLL 64 IoCs

pid	Process
3548	AnyDesk.exe
4060	AnyDesk.exe
3504	FileSyncConfig.exe
3504	FileSyncConfig.exe
3504	FileSyncConfig.exe
3504	FileSyncConfig.exe
3504	FileSyncConfig.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2116	DllHost.exe
2956	DllHost.exe
5272	DllHost.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
6300	vc_redist.x64.exe
1396	VC_redist.x64.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5308	DllHost.exe
5080	Streamlabs OBS.exe
6420	Streamlabs OBS.exe
6440	Streamlabs OBS.exe
6420	Streamlabs OBS.exe
6420	Streamlabs OBS.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	chrome.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Streamlabs OBS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Streamlabs OBS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Streamlabs OBS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Streamlabs OBS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Streamlabs OBS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Streamlabs OBS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Streamlabs OBS.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	OneDrive.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801881591149703"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\win32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\odopen\UseOriginalUrlEncoding = "1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ = "IGetSyncStatusCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\AppID\OneDrive.EXE\AppID = "{EEABD3A3-784D-4334-AAFC-BB13234F17CF}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ = "IFileSyncClient7"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Provider	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ = "IGetLinkCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\TYPELIB\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\mssharepointclient\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\" /protocol:\"%1\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\PROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\WOW6432NODE\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\ = "UpToDateOverlayHandler2 Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_CLASSES\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\slobs-client-updater\installer.exe\:Zone.Identifier:$DATA	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
File opened for modification	C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3548	AnyDesk.exe
5920	OneDrive.exe
2140	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	AnyDesk.exe
4060	AnyDesk.exe
4060	AnyDesk.exe
4060	AnyDesk.exe
2264	chrome.exe
2264	chrome.exe
5920	OneDrive.exe
5920	OneDrive.exe
5004	OneDriveSetup.exe
5004	OneDriveSetup.exe
5004	OneDriveSetup.exe
5004	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
3352	OneDriveSetup.exe
2140	OneDrive.exe
2140	OneDrive.exe
5992	chrome.exe
5992	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5324	msiexec.exe
5080	Streamlabs OBS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3444	AnyDesk.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	AnyDesk.exe
Token: 33	1348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1348	AUDIODG.EXE
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeIncreaseQuotaPrivilege	5004	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3352	OneDriveSetup.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe
Token: SeCreatePagefilePrivilege	5992	chrome.exe
Token: SeShutdownPrivilege	5992	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
5920	OneDrive.exe
5920	OneDrive.exe
5920	OneDrive.exe
5920	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
3548	AnyDesk.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
5920	OneDrive.exe
5920	OneDrive.exe
5920	OneDrive.exe
5920	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe
5992	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3444	AnyDesk.exe
3444	AnyDesk.exe
888	MiniSearchHost.exe
5920	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
2140	OneDrive.exe
5744	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
6276	vc_redist.x64.exe
6300	vc_redist.x64.exe
6568	VC_redist.x64.exe
4680	VC_redist.x64.exe
1396	VC_redist.x64.exe
5748	VC_redist.x64.exe
7148	Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4060	5100	AnyDesk.exe	77
PID 5100 wrote to memory of 4060	5100	AnyDesk.exe	77
PID 5100 wrote to memory of 4060	5100	AnyDesk.exe	77
PID 5100 wrote to memory of 3548	5100	AnyDesk.exe	78
PID 5100 wrote to memory of 3548	5100	AnyDesk.exe	78
PID 5100 wrote to memory of 3548	5100	AnyDesk.exe	78
PID 2264 wrote to memory of 3096	2264	chrome.exe	108
PID 2264 wrote to memory of 3096	2264	chrome.exe	108
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 2200	2264	chrome.exe	109
PID 2264 wrote to memory of 3848	2264	chrome.exe	110
PID 2264 wrote to memory of 3848	2264	chrome.exe	110
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111
PID 2264 wrote to memory of 3128	2264	chrome.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3444
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe7517cc40,0x7ffe7517cc4c,0x7ffe7517cc58
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5296,i,5990976943020807427,17390982374318925892,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:2
  2⤵
  PID:5900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:684

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5920
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Adds Run key to start application
    - Checks system information in the registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Drops desktop.ini file(s)
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3504
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2140

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2116

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7517cc40,0x7ffe7517cc4c,0x7ffe7517cc58
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4404,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3076,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3348,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5752,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5764,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5416,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5900,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4544,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6020,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5664,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4356,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4512,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4932,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5536,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4716,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5312,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5240,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5776,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6420,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6460,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4392,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5608
- C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
  "C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5744
- - C:\Program Files\Streamlabs OBS\vc_redist.x64.exe
    "C:\Program Files\Streamlabs OBS\vc_redist.x64.exe" /passive /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6276
  - - C:\Windows\Temp\{F1BC5728-DD74-4199-A01D-2089C1E1BB95}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{F1BC5728-DD74-4199-A01D-2089C1E1BB95}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Streamlabs OBS\vc_redist.x64.exe" -burn.filehandle.attached=756 -burn.filehandle.self=760 /passive /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6300
    - - C:\Windows\Temp\{E2580D4A-C6FF-43EC-81E9-BCBD730253FD}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{E2580D4A-C6FF-43EC-81E9-BCBD730253FD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D0809923-50A1-4560-956E-82A22A5CE41D} {0FEE1F11-4259-4823-9763-2D5E7BF1229E} 6300
        5⤵
        Adds Run key to start application
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6568
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=996 -burn.embedded BurnPipe.{95D4D257-9FB0-4290-895A-8C5956505D4D} {C662DAA9-D9C0-4CFE-A763-802E6D412635} 6568
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=588 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=996 -burn.embedded BurnPipe.{95D4D257-9FB0-4290-895A-8C5956505D4D} {C662DAA9-D9C0-4CFE-A763-802E6D412635} 6568
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{FFF2CBAA-03A1-411A-8D79-5D52CA6658D8} {5F18F430-2290-4D37-B174-66A4D98A5B6F} 1396
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5428,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6236,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6640,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=4576,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6996,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6796,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:6944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=4804,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=1176,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:6916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6352,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7012,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=7572,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7616 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7576,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=4892,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:6664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=7948,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8004,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=8048,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8028,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=8208,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:7160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8380,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8408 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6936,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8540 /prefetch:1
  2⤵
  PID:6620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=8692,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8400 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=8584,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8708 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=8832,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=8844,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9136 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=9016,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9276 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=9284,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9428 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=9564,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9268 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=9452,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9708 /prefetch:1
  2⤵
  PID:7072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=9692,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9852 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=9884,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9996 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=10120,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10140 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=10396,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10428 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=10696,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10688 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=10720,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10712 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6688,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=10928,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10892 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=10904,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=11052,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10468 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=11068,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11200 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=11224,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11336 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=11360,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11492 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=11476,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11624 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=11756,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11772 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=12652,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11472 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=12600,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12636 /prefetch:1
  2⤵
  PID:7648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=12656,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11900 /prefetch:1
  2⤵
  PID:7588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=12624,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10036 /prefetch:1
  2⤵
  PID:7584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=12140,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12364 /prefetch:1
  2⤵
  PID:7384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=12084,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12824 /prefetch:1
  2⤵
  PID:7680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=9460,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12804 /prefetch:1
  2⤵
  PID:7736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=11500,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:7724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=12060,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:7596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=12044,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:7604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=12128,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:7624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=12112,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10972 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=12096,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11148 /prefetch:1
  2⤵
  PID:7700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=11956,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11256 /prefetch:1
  2⤵
  PID:7612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=10732,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11092 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=9744,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=10768,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:7376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=10836,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=6828,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=7148,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=11892,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10404 /prefetch:1
  2⤵
  PID:7420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=10032,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11868 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=7884,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:6624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=12832,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:6868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=8076,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11232 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=10232,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12016 /prefetch:1
  2⤵
  PID:6388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=10416,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=8976 /prefetch:1
  2⤵
  PID:6896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=12584,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11820 /prefetch:1
  2⤵
  PID:7452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=7636,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=11584 /prefetch:1
  2⤵
  PID:7012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=10220,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=9132 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=11200,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --field-trial-handle=6748,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=12036 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --field-trial-handle=11820,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:7176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --field-trial-handle=11868,i,14583369755982565637,16448990783930775141,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=10192 /prefetch:1
  2⤵
  PID:7556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6692

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:7120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5324

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5308

C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
"C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5080
- C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
  "C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\slobs-client" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1788 --field-trial-handle=1792,i,13044747717468635799,10211513858653985699,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6420
- C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
  "C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\slobs-client" --mojo-platform-channel-handle=1968 --field-trial-handle=1792,i,13044747717468635799,10211513858653985699,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6440
- C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
  "C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\slobs-client" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1288 --field-trial-handle=1792,i,13044747717468635799,10211513858653985699,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:7720

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- System Location Discovery: System Language Discovery
PID:5912

C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe
"C:\Users\Admin\Downloads\Streamlabs+Desktop+Setup+1.17.0-tVb5xwdRQXu8ZGb.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:7148

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- System Location Discovery: System Language Discovery
PID:1812

C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
"C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe"
1⤵
- Executes dropped EXE
PID:5488
- C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
  "C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\slobs-client" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1700 --field-trial-handle=1704,i,13216309416311166214,4771749010592952235,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe
  "C:\Program Files\Streamlabs OBS\Streamlabs OBS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\slobs-client" --mojo-platform-channel-handle=2076 --field-trial-handle=1704,i,13216309416311166214,4771749010592952235,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery