35b38abfce50292e78c4c0d257e88ea0c039c406e995e9d427b598799a8f249b

Analysis

max time kernel
314s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

51.6MB
MD5

1eab332b9e3d41fcd7bd6314c80a06f2
SHA1

461d3518cc0812f7b71d87e1e82849d72bd58448
SHA256

35b38abfce50292e78c4c0d257e88ea0c039c406e995e9d427b598799a8f249b
SHA512

368408a91d182b72bed47ce546fc5ee834e20dba67220ae9877aa47456e6f3c8ebeca3ecb13e898fa01b2f349f89bd238449f37e816fb3adeedc23c472721ab8
SSDEEP

1572864:hOGGEbSUOcH7ddbstzsz4I88vHFIqM9BC:hOGGEbST2FstkJ88lIq4Y

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5760	windowsdesktop-runtime-6.0.13-win-x64.exe
5584	windowsdesktop-runtime-6.0.13-win-x64.exe
5904	windowsdesktop-runtime-6.0.13-win-x64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-6.0.13-win-x64.exe

Loads dropped DLL 64 IoCs

pid	Process
5584	windowsdesktop-runtime-6.0.13-win-x64.exe
5536	MsiExec.exe
5536	MsiExec.exe
3484	MsiExec.exe
3484	MsiExec.exe
1652	MsiExec.exe
1652	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe
4152	BedrockLauncher.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{96cf40b0-81d6-43ed-ad0e-611e67899196} = "\"C:\\ProgramData\\Package Cache\\{96cf40b0-81d6-43ed-ad0e-611e67899196}\\windowsdesktop-runtime-6.0.13-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Private.Xml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.CodeDom.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\it\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.Http.Json.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Xaml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ko\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Transactions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\mscorlib.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Security.Claims.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Security.Principal.Windows.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Memory.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Configuration.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hant\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Reflection.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Resources.Writer.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Security.Cryptography.OpenSsl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-fibers-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\hostpolicy.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.Ping.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\it\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\.version	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Drawing.Design.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\Microsoft.NETCore.App.deps.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pl\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Diagnostics.EventLog.Messages.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Windows.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\Microsoft.NETCore.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\D3DCompiler_47_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Configuration.ConfigurationManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\Microsoft.VisualBasic.Forms.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\it\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\fr\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Buffers.dll	msiexec.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e597e4e.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9511601E-12FF-4972-BF9C-2992F2CA5A32}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e597e52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9593.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e597e5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB056.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI898A.tmp	msiexec.exe
File created	C:\Windows\Installer\e597e51.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8CDACE3C-0064-4A17-A02C-49F831D5F73A}	msiexec.exe
File created	C:\Windows\Installer\e597e56.msi	msiexec.exe
File created	C:\Windows\Installer\e597e59.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8484730A-68A4-4C63-93B4-52628D3B488D}	msiexec.exe
File created	C:\Windows\Installer\e597e5d.msi	msiexec.exe
File created	C:\Windows\Installer\e597e52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B82.tmp	msiexec.exe
File created	C:\Windows\Installer\e597e5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e597e4e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5F0DB006-2AE3-4D36-8077-65247FD687D4}	msiexec.exe
File created	C:\Windows\Installer\e597e55.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e597e56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI811D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9469.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA662.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1012	4152	WerFault.exe	204
4212	2504	WerFault.exe	212
3740	936	WerFault.exe	216

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF94EABFBF456B47F477CDE6962FE1CF\600BD0F53EA263D408775642F76D784D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\Version = "808962985"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{96cf40b0-81d6-43ed-ad0e-611e67899196}	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5F0DB006-2AE3-4D36-8077-65247FD687D4}v48.55.52137\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1061159FF212794FBC992292FACA523	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.13 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x64\Dependents	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{9511601E-12FF-4972-BF9C-2992F2CA5A32}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7AAC419AA63514254F7B5A2BAD664AB5\A03748484A8636C4394B2526D8B384D8	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A03748484A8636C4394B2526D8B384D8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A03748484A8636C4394B2526D8B384D8\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C61AF4A983356BD7017B5363DF2BCFC2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\ProductName = "Microsoft Windows Desktop Runtime - 6.0.13 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1061159FF212794FBC992292FACA523\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList\PackageName = "dotnet-runtime-6.0.13-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\Dependents\{96cf40b0-81d6-43ed-ad0e-611e67899196}	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\PackageCode = "E16DED461D8D9AC4092FFCDE75D32EAA"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C61AF4A983356BD7017B5363DF2BCFC2\C3ECADC8460071A40AC2948F135D7FA3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\DisplayName = "Microsoft .NET Runtime - 6.0.13 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{8CDACE3C-0064-4A17-A02C-49F831D5F73A}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{96cf40b0-81d6-43ed-ad0e-611e67899196}\Version = "6.0.13.32001"	windowsdesktop-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C3ECADC8460071A40AC2948F135D7FA3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x64\ = "{8CDACE3C-0064-4A17-A02C-49F831D5F73A}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{96cf40b0-81d6-43ed-ad0e-611e67899196}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.13 (x64)"	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\ = "{5F0DB006-2AE3-4D36-8077-65247FD687D4}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\600BD0F53EA263D408775642F76D784D\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{8484730A-68A4-4C63-93B4-52628D3B488D}v48.55.53270\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{8CDACE3C-0064-4A17-A02C-49F831D5F73A}v48.55.52137\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x64	windowsdesktop-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x64\ = "{8484730A-68A4-4C63-93B4-52628D3B488D}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\Dependents	windowsdesktop-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A03748484A8636C4394B2526D8B384D8\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\ProductName = "Microsoft .NET Runtime - 6.0.13 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A03748484A8636C4394B2526D8B384D8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\Version = "48.55.52137"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 644817.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
3512	chrome.exe
3512	chrome.exe
1784	chrome.exe
1784	chrome.exe
4388	chrome.exe
4388	chrome.exe
5416	chrome.exe
5416	chrome.exe
5524	chrome.exe
5524	chrome.exe
5928	chrome.exe
5928	chrome.exe
1132	chrome.exe
1132	chrome.exe
2584	chrome.exe
2584	chrome.exe
4612	chrome.exe
4612	chrome.exe
6136	msedge.exe
6136	msedge.exe
5948	msedge.exe
5948	msedge.exe
428	identity_helper.exe
428	identity_helper.exe
5580	msedge.exe
5580	msedge.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
5736	msiexec.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeIncreaseQuotaPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSecurityPrivilege	5736	msiexec.exe
Token: SeCreateTokenPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeLockMemoryPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeIncreaseQuotaPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeMachineAccountPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeTcbPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSecurityPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeTakeOwnershipPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeLoadDriverPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSystemProfilePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSystemtimePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeProfSingleProcessPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeIncBasePriorityPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeCreatePagefilePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeCreatePermanentPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeBackupPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeRestorePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeShutdownPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeDebugPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeAuditPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSystemEnvironmentPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeChangeNotifyPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeRemoteShutdownPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeUndockPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeSyncAgentPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeEnableDelegationPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeManageVolumePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeImpersonatePrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeCreateGlobalPrivilege	5904	windowsdesktop-runtime-6.0.13-win-x64.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe
Token: SeRestorePrivilege	5736	msiexec.exe
Token: SeTakeOwnershipPrivilege	5736	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5540	BedrockLauncher.exe
5760	windowsdesktop-runtime-6.0.13-win-x64.exe
5584	windowsdesktop-runtime-6.0.13-win-x64.exe
5904	windowsdesktop-runtime-6.0.13-win-x64.exe
4152	BedrockLauncher.exe
2504	BedrockLauncher.exe
936	BedrockLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 5092	3512	chrome.exe	101
PID 3512 wrote to memory of 5092	3512	chrome.exe	101
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 4264	3512	chrome.exe	102
PID 3512 wrote to memory of 1932	3512	chrome.exe	103
PID 3512 wrote to memory of 1932	3512	chrome.exe	103
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104
PID 3512 wrote to memory of 816	3512	chrome.exe	104

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
1⤵
PID:504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff50e04f50,0x7fff50e04f60,0x7fff50e04f70
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=220 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,9818389153514221999,16154438292249003029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe
"C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.9&gui=true
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff63a646f8,0x7fff63a64708,0x7fff63a64718
    3⤵
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
    3⤵
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4296 /prefetch:8
    3⤵
    PID:1744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
    3⤵
    PID:4024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6136 /prefetch:8
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:1396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff78dd55460,0x7ff78dd55470,0x7ff78dd55480
      4⤵
      PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5580
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5760
  - - C:\Windows\Temp\{318F768D-01D8-457C-BD34-5595F8243A6E}\.cr\windowsdesktop-runtime-6.0.13-win-x64.exe
      "C:\Windows\Temp\{318F768D-01D8-457C-BD34-5595F8243A6E}\.cr\windowsdesktop-runtime-6.0.13-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe" -burn.filehandle.attached=676 -burn.filehandle.self=716
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5584
    - - C:\Windows\Temp\{B750B944-F6D3-4055-B7B2-A242F4D3AE29}\.be\windowsdesktop-runtime-6.0.13-win-x64.exe
        
        "C:\Windows\Temp\{B750B944-F6D3-4055-B7B2-A242F4D3AE29}\.be\windowsdesktop-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{A8515127-AF8F-4E2D-87AC-D107674FF459} {C7BE5CD9-4B47-4798-B971-CD545BC4D655} 5584
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:8
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1072 /prefetch:8
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3220 /prefetch:8
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4336 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,9183932590585073058,3229564335952133053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
    3⤵
    PID:6080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1FC372C42B56BEE991F54CB0FCC9BE7C
  2⤵
  - Loads dropped DLL
  PID:5536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3CD4683CFCD02A64B0D0B66F85A204CF
  2⤵
  - Loads dropped DLL
  PID:3484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 312397419B3F8C6AFDDA5FB605A61347
  2⤵
  - Loads dropped DLL
  PID:1652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AE7CCA01E02F8568826126B8EE55060C
  2⤵
  - Loads dropped DLL
  PID:1808

C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe
"C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4152 -s 2940
  2⤵
  - Program crash
  PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4152 -ip 4152
1⤵
PID:1268

C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe
"C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2504 -s 3012
  2⤵
  - Program crash
  PID:4212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2504 -ip 2504
1⤵
PID:908

C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe
"C:\Users\Admin\Desktop\release\net6.0-windows10.0.17763.0\BedrockLauncher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:936
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 936 -s 2972
  2⤵
  - Program crash
  PID:3740