quasar | d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
597	camo.githubusercontent.com
597	raw.githubusercontent.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
174	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html	2112	chrome.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\playit_gg\bin\playit.exe	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e59a0ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9631608A58F44267.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{8C17366B-843B-49DC-AC1B-748DC264E06F}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e59a0ad.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4401527395E72239.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\~DF175158C8D18056EF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{8C17366B-843B-49DC-AC1B-748DC264E06F}\ProductICO	Taskmgr.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\e59a0ab.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8C17366B-843B-49DC-AC1B-748DC264E06F}	msiexec.exe
File created	C:\Windows\Installer\{8C17366B-843B-49DC-AC1B-748DC264E06F}\ProductICO	msiexec.exe
File created	C:\Windows\SystemTemp\~DF43B2CFC6B201FA1E.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832503974393607"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Quasar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "5"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Quasar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "4"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B66371C8B348CD94CAB147D82C460EF6\Environment = "Binaries"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Quasar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Quasar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{9BE0B551-1540-44E1-A6EE-559AC863B4E6}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	Quasar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B66371C8B348CD94CAB147D82C460EF6\ProductName = "playit"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\playit-windows-x86_64-signed.msi:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1208	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2324	schtasks.exe
3040	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2280	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
5584	chrome.exe
5584	chrome.exe
5584	chrome.exe
5584	chrome.exe
1968	msiexec.exe
1968	msiexec.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5040	Quasar.exe
5984	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
4320	msiexec.exe
4320	msiexec.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
5040	Quasar.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
5040	Quasar.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe
5984	Taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
5040	Quasar.exe
5040	Quasar.exe
5040	Quasar.exe
5040	Quasar.exe
5040	Quasar.exe
5040	Quasar.exe
5524	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1208	3068	cmd.exe	78
PID 3068 wrote to memory of 1208	3068	cmd.exe	78
PID 1896 wrote to memory of 5924	1896	chrome.exe	82
PID 1896 wrote to memory of 5924	1896	chrome.exe	82
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 884	1896	chrome.exe	83
PID 1896 wrote to memory of 2112	1896	chrome.exe	84
PID 1896 wrote to memory of 2112	1896	chrome.exe	84
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85
PID 1896 wrote to memory of 6088	1896	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff90010cc40,0x7ff90010cc4c,0x7ff90010cc58
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:3
  2⤵
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2076,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3548,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4292,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4572,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3444,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5300,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:2
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5396,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3764,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3772,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4696,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4660,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5072,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3244,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5864,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5732,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5860,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5232,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5488,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6372,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6356,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6652,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6640,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6768,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6944,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7232,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7084,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7352,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7360,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7788,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=7676,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8084,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8092 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8224,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8432,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8440 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8228,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=8668,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8680 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8416,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8856 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=8716,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8968 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9136,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8376 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=7048,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9280 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9448,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9412 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9604,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9588 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9720,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9740 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=9580,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9900 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=9420,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10000 /prefetch:1
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10176,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10200 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=10304,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10320 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10456,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9904 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=9156,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10612 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=10588,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10600 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=10700,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9740 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=10716,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=10640,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9148 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=9808,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10404 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=10428,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9856 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=9304,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=10440,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=8972,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10204 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=9800,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=8544,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9256 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=7228,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9148 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=3376,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10664 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=10032,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=10464,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10556 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=7164,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7200 /prefetch:1
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=7156,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=7116,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=8168,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=6476,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=6520,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=9876,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8896 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=8940,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8928 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=3196,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8412 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=8708,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9908 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=8236,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=3704,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=8240,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=7984,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7800 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=7132,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8636 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=6140,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9884 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8744,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7888 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4364
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\playit-windows-x86_64-signed.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=7028,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=7492,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=4876,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10260 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=8532,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=5840,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10856 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=4436,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=10444,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=9804 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7688,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8020,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=1448,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10848 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=5568,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=5696,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6352,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6388,i,7306748643342832881,4864714731494883194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=10036 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1968
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5188

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:3064

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2740

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5040
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:4508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5984

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3364
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2324
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:5192
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:4720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff90010cc40,0x7ff90010cc4c,0x7ff90010cc58
      4⤵
      PID:740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1800 /prefetch:2
      4⤵
      PID:3460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=2124 /prefetch:3
      4⤵
      PID:5912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=2472 /prefetch:8
      4⤵
      PID:2984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3132 /prefetch:1
      4⤵
      PID:1752
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      PID:1388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3116,i,10264764571128936820,5913744691286449968,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:4652
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /s /t 0
    3⤵
    PID:5824

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff90010cc40,0x7ff90010cc4c,0x7ff90010cc58
  2⤵
  PID:5692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1692,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2096,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,18368646294275985391,16599154313350542439,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90010cc40,0x7ff90010cc4c,0x7ff90010cc58
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1808,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1952 /prefetch:3
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3296,i,6387682450411200817,9228404951158638629,262144 --variations-seed-version=20250205-050123.127000 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3959855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery