5c0ea6873ce7e54899a1f10e66e96964f0232e7cae1c6b750875f8576988f7ed

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aj820C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aj820C.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Control Panel\International\Geo\Nation	aj820C.exe

Deletes itself 1 IoCs

pid	Process
4536	cleanmgr.exe

Executes dropped EXE 36 IoCs

pid	Process
5084	FiveM.exe
5116	CitizenFX.exe.new
3168	FiveM.exe
340	FiveM.exe
800	FiveM_b2699_DumpServer
5620	avg_secure_browser_setup.exe
5864	aj820C.exe
5560	TI-Connect-4.0.0.218.exe
6852	WiseCustomCalla3.exe
5980	WiseCustomCalla.exe
6196	dpinst.exe
8064	WiseCustomCalla11.exe
2648	GLJ85AB.tmp
5312	GLJ85AB.tmp
5728	GLJ85AB.tmp
5888	GLJ85AB.tmp
6352	GLJ85AB.tmp
5136	GLJ85AB.tmp
5548	GLJ85AB.tmp
6004	GLJ85AB.tmp
7288	GLJ85AB.tmp
6288	GLJ85AB.tmp
3188	GLJ85AB.tmp
220	GLJ85AB.tmp
7568	GLJ85AB.tmp
5356	WiseCustomCalla12.exe
6292	TIConnect.exe
7640	TIConnect.exe
5124	TIDataEditor.exe
7852	TIDataEditor.exe
6424	dismhost.exe
5588	dismhost.exe
4276	OneDriveSetup.exe
7704	OneDriveSetup.exe
1080	FileSyncConfig.exe
5676	OneDrive.exe

Loads dropped DLL 64 IoCs

pid	Process
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
5864	aj820C.exe
7244	MsiExec.exe
7244	MsiExec.exe
7244	MsiExec.exe
7244	MsiExec.exe
6852	WiseCustomCalla3.exe
7244	MsiExec.exe
7244	MsiExec.exe
7244	MsiExec.exe
7524	MsiExec.exe
7524	MsiExec.exe
2888	MsiExec.exe
3248	MsiExec.exe
4328	MsiExec.exe
5988	MsiExec.exe
6708	MsiExec.exe
5236	MsiExec.exe
5096	MsiExec.exe
6440	MsiExec.exe
2652	MsiExec.exe
5688	MsiExec.exe
6188	MsiExec.exe
5420	MsiExec.exe
4152	MsiExec.exe
684	MsiExec.exe
6532	MsiExec.exe
4384	MsiExec.exe
3904	MsiExec.exe
1860	MsiExec.exe
380	MsiExec.exe
5372	MsiExec.exe
6592	MsiExec.exe
5016	MsiExec.exe
4944	MsiExec.exe
2796	MsiExec.exe
7076	MsiExec.exe
8076	MsiExec.exe
7112	MsiExec.exe
7964	MsiExec.exe
5980	WiseCustomCalla.exe
7964	MsiExec.exe
8064	WiseCustomCalla11.exe
7900	regsvr32.exe
4348	regsvr32.exe
2648	GLJ85AB.tmp
2648	GLJ85AB.tmp
2648	GLJ85AB.tmp
5312	GLJ85AB.tmp
5312	GLJ85AB.tmp
5312	GLJ85AB.tmp
5728	GLJ85AB.tmp

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj820C.exe
Key opened	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\SOFTWARE\AVAST Software\Avast	aj820C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini	FiveM.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\G:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj820C.exe

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\SET7DBD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\SET7DAB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\SET7DAB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\silvrlnk.inf_amd64_078e67552d8149ff\silvrlnk.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\SCM.EVM.1	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\FaceUnlock.etl.001	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File created	C:\Windows\SysWOW64\comctl32.ocx	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\silvrlnk.inf_amd64_078e67552d8149ff\SilvrLnk.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\tiehdusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\Outgoing	cleanmgr.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\silvrlnk.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\SilvrLnk.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tiehdusb.inf_amd64_17f0d5450b8d64b6\tiehdusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tiehdusb.inf_amd64_17f0d5450b8d64b6\tiehdusb.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\MFC71.dll	WiseCustomCalla11.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\LwtNetLog.etl	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\SQM	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup	cleanmgr.exe
File created	C:\Windows\SysWOW64\TIControlPanel.cpl	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\silvrlnk.inf_amd64_078e67552d8149ff\silvrlnk.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\silvrlnk.inf_amd64_078e67552d8149ff\silvrlnk.PNF	dpinst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8156.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\MFC71u.dll	WiseCustomCalla11.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax	cleanmgr.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvcp71.dll	WiseCustomCalla11.exe
File created	C:\Windows\SysWOW64\~GLH000c.TMP	WiseCustomCalla11.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\Firewall	cleanmgr.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\silvrlnk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8157.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\SpoolerLogger.etl.002	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\Incoming	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI	cleanmgr.exe
File created	C:\Windows\System32\DriverStore\Temp\{ade99589-ef00-a44f-9cc3-5f9d25a9e5ef}\SET7DAC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\LogFiles\setupcln	cleanmgr.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tiehdusb.inf_amd64_17f0d5450b8d64b6\tiehdusb.PNF	dpinst.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\CloudFiles	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\setupcln	cleanmgr.exe
File created	C:\Windows\SysWOW64\TIControlPanel.cpl.manifest	msiexec.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\~GLH0008.TMP	WiseCustomCalla11.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8145.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8145.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8156.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File created	C:\Windows\SysWOW64\mscomct2.ocx	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\tiehdusb.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a993213-f4fa-e349-9f84-ee43e2577f16}\SET8157.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\~GLH0009.TMP	WiseCustomCalla11.exe
File created	C:\Windows\SysWOW64\~GLH000b.TMP	WiseCustomCalla11.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\SCM.EVM.2	cleanmgr.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\~GLH0002.TMP	WiseCustomCalla11.exe
File opened for modification	C:\Program Files (x86)\TI Education\TI Connect\~GLH0007.TMP	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\~GLH0007.TMP	WiseCustomCalla11.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\INSTALL.LOG	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\Voyage200_OS209.v2u	msiexec.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\CBL2_OS109.c2u	msiexec.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TIAutoUpgrade.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\GRPFOLDER.HTT	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIFileMn.dll	WiseCustomCalla11.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TiAbout.dll	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TI73_OS160.73U	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIUSB.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\Number32x32.ico	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\~GLH0005.TMP	WiseCustomCalla.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TITransfer.dll	WiseCustomCalla11.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\~GLH0006.TMP	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TISerialB.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI92PTalk.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIPreferences.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\silvrlnk.sys	WiseCustomCalla.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TIScreenCapture.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDirect.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\~GLH0000.TMP	WiseCustomCalla.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\INSTALL.LOG	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\~GLH0004.TMP	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TI83Plus_OS118.8Xu	msiexec.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TIDeviceInfo.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI73Talk.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\Picture32x32.ico	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\PLUSCOLD.GIF	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\MINCOLD.GIF	MsiExec.exe
File created	C:\PROGRA~1\DIFX\1E5F57120B769A13\dpinst.exe	dpinst.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\INSTALL.LOG	WiseCustomCalla.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\UpTiDev.exe	msiexec.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TI84Plus_OS222.8xu	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\flashDeviceOS.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDetect.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGroupMgr.dll	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDataConverter.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\MINHOT.GIF	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\GRPFOLDER.HTT	MsiExec.exe
File opened for modification	C:\PROGRA~1\DIFX\1E5F57120B769A13\dpinst.exe	dpinst.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\MINCOLD.GIF	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\MINHOT.GIF	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\PLUSHOT.GIF	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\~GLH0001.TMP	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\flashApp.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\MINHOT.GIF	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\WATERMARK.JPG	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\WVLEFT.BMP	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\~GLH0002.TMP	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\Settings32x32.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\~GLH0002.TMP	WiseCustomCalla.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\~GLH0004.TMP	WiseCustomCalla.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDataConverter.dll	WiseCustomCalla11.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TIConnectReadMe.html	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\TI Shared\TIC_Drivers\x64\silvrlnk.inf	WiseCustomCalla.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TICBL2Talk.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TINoteFolioConverter.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\Icons\Matrix32x32.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx_FolderSettings\WATERMARK.JPG	MsiExec.exe
File created	C:\Program Files (x86)\TI Education\TI Connect\TiDeviceExplorer.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20231215.101354.391.1.etl	cleanmgr.exe
File opened for modification	C:\Windows\Logs\SettingSync	cleanmgr.exe
File created	C:\Windows\lflmb12n.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\{D06BA64C-4447-49B4-B99D-E85BEA9E1035}\IconD06BA64C2.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinst.exe
File opened for modification	C:\Windows\Logs\NetSetup\service.0.etl	cleanmgr.exe
File opened for modification	C:\Windows\Logs\dosvc	cleanmgr.exe
File created	C:\Windows\Fonts\TIUniBd_.ttf	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{D06BA64C-4447-49B4-B99D-E85BEA9E1035}\IconD06BA64C1.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	cleanmgr.exe
File created	C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla3782379141.dll	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Fonts\TI-92PB.TTF	msiexec.exe
File created	C:\Windows\Fonts\TI-92p.TTF	msiexec.exe
File created	C:\Windows\Fonts\TI-83BD.TTF	msiexec.exe
File created	C:\Windows\ltfil12n.DLL	msiexec.exe
File created	C:\Windows\Fonts\TI-73.TTF	msiexec.exe
File created	C:\Windows\Installer\e6108bc.msi	msiexec.exe
File created	C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCall.dll	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI985.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D06BA64C-4447-49B4-B99D-E85BEA9E1035}	msiexec.exe
File opened for modification	C:\Windows\Logs\dosvc\dosvc.20231215_101413_734.etl	cleanmgr.exe
File created	C:\Windows\LFCMP12n.DLL	msiexec.exe
File opened for modification	C:\Windows\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\Telephony	cleanmgr.exe
File created	C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla11.dll	MsiExec.exe
File created	C:\Windows\lffax12n.dll	msiexec.exe
File created	C:\Windows\LTDIS12n.dll	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate	cleanmgr.exe
File created	C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla3.dll	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIE69.tmp	msiexec.exe
File created	C:\Windows\lfjbg12n.dll	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DPX	cleanmgr.exe
File created	C:\Windows\rescache\_merged\3060194815\2825129510.pri	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA35D.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS	cleanmgr.exe
File opened for modification	C:\Windows\Installer\e6108ba.msi	msiexec.exe
File created	C:\Windows\lfpcx12n.dll	msiexec.exe
File created	C:\Windows\Fonts\TI-86.TTF	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20231215.101608.460.1.etl	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM	cleanmgr.exe
File created	C:\Windows\lfbmp12n.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA35C.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Fonts\TI-83pmini.ttf	msiexec.exe
File created	C:\Windows\Installer\{D06BA64C-4447-49B4-B99D-E85BEA9E1035}\IconD06BA64C1.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8F.tmp	msiexec.exe
File created	C:\Windows\twain_32\TITWAIN.ds	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File created	C:\Windows\Fonts\TI-83PL.TTF	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cleanmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wise Solutions\Wise for Windows Installer\WfWiEventA8064	WiseCustomCalla11.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wise Solutions	WiseCustomCalla11.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WiseCustomCalla12.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WiseCustomCalla12.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dpinst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Wise Solutions\Wise for Windows Installer	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WiseCustomCalla.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	dpinst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WiseCustomCalla11.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133507542934382421"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WiseCustomCalla12.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dpinst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WiseCustomCalla.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	dpinst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WiseCustomCalla.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wise Solutions\Wise for Windows Installer	WiseCustomCalla11.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	dpinst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dpinst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Wise Solutions\Wise for Windows Installer\WfWiEventA8064\Property = "0INSTALLDIR"	WiseCustomCalla11.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WiseCustomCalla11.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	dpinst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WiseCustomCalla11.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TIDataEditor.Constant\Shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42265526-246B-48a7-B31C-6C8F6C42B9E2}\VersionIndependentProgID\ = "TIDirect.TIDirectStream"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB66603-37C5-11D4-843B-00E0B8116D72}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BF8992-9939-4DF9-893D-16AD837B14D6}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TIShelEx.TIFileDlg	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Control	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ = "IButton10"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TIGroupExplorer.Group\Shell\Open\ddeexec\application	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.9xq	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB66603-37C5-11D4-843B-00E0B8116D72}\ProgID\ = "TICBL2Talk.TICBL2Talk.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ACDFDEFC-5FD7-487D-91DC-365235188666}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\TISHAR~1\\TICONN~1\\TIGrpEx.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15B183AF-103D-4FA5-B6A3-0517F79D862A}\TypeLib\Version = "1.0"	GLJ85AB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC682841-72D8-11D1-A036-00062914C50F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TIDirect.TIDirectStream.1\ = "TIDirectStream Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{137EB833-7E47-40D3-A7A6-33F2C9372AC7}\TypeLib\ = "{3FCEF003-09A4-11D4-8D3B-D12F9D3D8B02}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ACDFDEFC-5FD7-487D-91DC-365235188666}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.92m	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDBA7AFE-A69D-4A40-AC2D-733B0C570051}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\TI Shared\\TalkTI\\TIAppVar.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ = "IGetAllSharedFoldersCallback"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.v2m\ = "TIDataEditor.Matrix"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3840B99-EAB1-4EAC-A6A3-3D754A01419A}\ = "IAppVar"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.v2k	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC682801-72D8-11D1-A036-00062914C50F}\TypeLib\ = "{1CB665F4-37C5-11D4-843B-00E0B8116D72}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CLSID\ = "{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A63C0F6F-A532-11D4-9525-00104BA5A7C4}\ProgID\ = "TIDetect.Spy.1"	GLJ85AB.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A63C0F61-A532-11D4-9525-00104BA5A7C4}\1.0	GLJ85AB.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{386DFF97-3B14-11D4-9772-00104BF6EA79}\1.0	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E06730A1-CD81-11D2-AECD-00104BE3600F}\1.0\FLAGS	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04D7372-7C6F-4CC2-8257-516EA693B2D7}	GLJ85AB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04D7372-7C6F-4CC2-8257-516EA693B2D7}\ProxyStubClsid32	GLJ85AB.tmp
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C94CE23F-F656-4297-9868-BAA657CD0A98}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	FiveM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TIConnect.Text\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\\\TI Shared\\icons\\String32x32.ico"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1384	OneDrive.exe
5676	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
4260	chrome.exe
4260	chrome.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe
5620	avg_secure_browser_setup.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
340	FiveM.exe
6292	TIConnect.exe
4536	cleanmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
5084	FiveM.exe
340	FiveM.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
1384	OneDrive.exe
1384	OneDrive.exe
1384	OneDrive.exe
1384	OneDrive.exe
5676	OneDrive.exe
5676	OneDrive.exe
5676	OneDrive.exe
5676	OneDrive.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2544	SystemSettingsAdminFlows.exe
340	FiveM.exe
340	FiveM.exe
5620	avg_secure_browser_setup.exe
5864	aj820C.exe
5864	aj820C.exe
6292	TIConnect.exe
6292	TIConnect.exe
7640	TIConnect.exe
5124	TIDataEditor.exe
5124	TIDataEditor.exe
7852	TIDataEditor.exe
5124	TIDataEditor.exe
1384	OneDrive.exe
5676	OneDrive.exe
5676	OneDrive.exe
5676	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4076	2428	chrome.exe	86
PID 2428 wrote to memory of 4076	2428	chrome.exe	86
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4368	2428	chrome.exe	89
PID 2428 wrote to memory of 4632	2428	chrome.exe	88
PID 2428 wrote to memory of 4632	2428	chrome.exe	88
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90
PID 2428 wrote to memory of 2200	2428	chrome.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Archive.zip
1⤵
PID:1128

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffd11cd9758,0x7ffd11cd9768,0x7ffd11cd9778
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5172 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4656 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5040 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5376 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6076 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Users\Admin\Downloads\FiveM.exe
  "C:\Users\Admin\Downloads\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:5084
- - C:\Users\Admin\Downloads\CitizenFX.exe.new
    CitizenFX.exe.new -bootstrap "C:\Users\Admin\Downloads\FiveM.exe"
    3⤵
    - Executes dropped EXE
    PID:5116
  - - C:\Users\Admin\Downloads\FiveM.exe
      "C:\Users\Admin\Downloads\FiveM.exe"
      4⤵
      Executes dropped EXE
      PID:3168
    - - C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:340
      - C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
        
        "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:1344 -parentpid:340
        6⤵
        Executes dropped EXE
        
        PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2272 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2488 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5904 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6248 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5896 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5604 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5556 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6460 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6460 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5796 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6468 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7024 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6580 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6220 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7952 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7808 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7656 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7508 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7376 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7216 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=3080 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8272 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8468 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=8500 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=8616 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=8748 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=9088 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=9288 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=9456 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=9748 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9612 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=9744 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10084 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9752 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=10504 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10468 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=10436 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10560 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10780 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10424 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=11572 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=11588 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=11440 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=11308 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=11284 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=11272 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=11168 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=11140 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=11132 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=11124 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11096 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=11084 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=10664 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=10076 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=10548 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=10408 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=10776 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=14112 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:8104
- C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
  "C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5620
- - C:\Users\Admin\AppData\Local\Temp\aj820C.exe
    "C:\Users\Admin\AppData\Local\Temp\aj820C.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=13024 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=5828 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=9936 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=9888 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=7204 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=7180 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=9924 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=11904 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=11688 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=11628 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=11184 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=11204 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=7568 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=11108 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=5556 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=11728 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=7640 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=13136 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=9888 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --mojo-platform-channel-handle=12472 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=12488 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --mojo-platform-channel-handle=7340 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --mojo-platform-channel-handle=13588 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --mojo-platform-channel-handle=8248 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --mojo-platform-channel-handle=11644 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --mojo-platform-channel-handle=8372 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --mojo-platform-channel-handle=12268 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:8120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --mojo-platform-channel-handle=8400 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --mojo-platform-channel-handle=13136 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --mojo-platform-channel-handle=12484 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --mojo-platform-channel-handle=12456 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --mojo-platform-channel-handle=8048 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --mojo-platform-channel-handle=8944 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --mojo-platform-channel-handle=7648 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --mojo-platform-channel-handle=14248 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=14164 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --mojo-platform-channel-handle=9084 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --mojo-platform-channel-handle=9156 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --mojo-platform-channel-handle=9140 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --mojo-platform-channel-handle=4392 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --mojo-platform-channel-handle=7112 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8604 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=13544 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --mojo-platform-channel-handle=12120 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --mojo-platform-channel-handle=13908 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --mojo-platform-channel-handle=6736 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9172 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:7964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6668 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:7588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --mojo-platform-channel-handle=13536 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --mojo-platform-channel-handle=13936 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --mojo-platform-channel-handle=6748 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --mojo-platform-channel-handle=3912 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --mojo-platform-channel-handle=13716 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --mojo-platform-channel-handle=1700 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --mojo-platform-channel-handle=6528 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7440 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:7444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=140 --mojo-platform-channel-handle=12740 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=141 --mojo-platform-channel-handle=7080 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=142 --mojo-platform-channel-handle=13192 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=12492 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9948 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=145 --mojo-platform-channel-handle=8380 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=146 --mojo-platform-channel-handle=4736 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=147 --mojo-platform-channel-handle=3604 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=148 --mojo-platform-channel-handle=5416 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=149 --mojo-platform-channel-handle=8108 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=150 --mojo-platform-channel-handle=7424 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=151 --mojo-platform-channel-handle=5176 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=152 --mojo-platform-channel-handle=11396 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=159 --mojo-platform-channel-handle=9640 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=158 --mojo-platform-channel-handle=8588 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=157 --mojo-platform-channel-handle=6188 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=156 --mojo-platform-channel-handle=7452 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=155 --mojo-platform-channel-handle=8028 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=154 --mojo-platform-channel-handle=6720 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=153 --mojo-platform-channel-handle=8604 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=162 --mojo-platform-channel-handle=12616 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=161 --mojo-platform-channel-handle=6520 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=160 --mojo-platform-channel-handle=8012 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=163 --mojo-platform-channel-handle=3836 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=164 --mojo-platform-channel-handle=3144 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=165 --mojo-platform-channel-handle=6880 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=166 --mojo-platform-channel-handle=5344 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=167 --mojo-platform-channel-handle=5480 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=168 --mojo-platform-channel-handle=1540 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=169 --mojo-platform-channel-handle=3000 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=171 --mojo-platform-channel-handle=8028 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=172 --mojo-platform-channel-handle=5540 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=176 --mojo-platform-channel-handle=10008 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=175 --mojo-platform-channel-handle=8908 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=174 --mojo-platform-channel-handle=14288 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=173 --mojo-platform-channel-handle=13216 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=170 --mojo-platform-channel-handle=7452 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=178 --mojo-platform-channel-handle=12672 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:8020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=177 --mojo-platform-channel-handle=9668 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=179 --mojo-platform-channel-handle=12840 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=180 --mojo-platform-channel-handle=13036 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3124 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=184 --mojo-platform-channel-handle=6624 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=183 --mojo-platform-channel-handle=7700 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=185 --mojo-platform-channel-handle=11512 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=186 --mojo-platform-channel-handle=11480 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=187 --mojo-platform-channel-handle=10092 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=188 --mojo-platform-channel-handle=12576 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=189 --mojo-platform-channel-handle=7828 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7196 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=191 --mojo-platform-channel-handle=3104 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=192 --mojo-platform-channel-handle=3196 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:7940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=193 --mojo-platform-channel-handle=8732 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=200 --mojo-platform-channel-handle=9844 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=199 --mojo-platform-channel-handle=7836 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=198 --mojo-platform-channel-handle=7220 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=197 --mojo-platform-channel-handle=7024 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --mojo-platform-channel-handle=4624 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=195 --mojo-platform-channel-handle=6100 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=194 --mojo-platform-channel-handle=12804 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=202 --mojo-platform-channel-handle=7640 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=201 --mojo-platform-channel-handle=14068 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=204 --mojo-platform-channel-handle=7820 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=203 --mojo-platform-channel-handle=11536 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=205 --mojo-platform-channel-handle=11980 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14084 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9580 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=208 --mojo-platform-channel-handle=10944 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:7588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14328 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:6504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9472 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=212 --mojo-platform-channel-handle=6956 --field-trial-handle=1652,i,3288736910336332512,5326559539335399714,131072 /prefetch:1
  2⤵
  PID:6912
- C:\Users\Admin\Downloads\TI-Connect-4.0.0.218.exe
  "C:\Users\Admin\Downloads\TI-Connect-4.0.0.218.exe"
  2⤵
  - Executes dropped EXE
  PID:5560
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISD06BA64C444749B4B99DE85BEA9E1035_4_0_0_218.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Downloads\TI-Connect-4.0.0.218.exe"
    3⤵
    - Enumerates connected drives
    PID:6548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2AADAF53619784720491F17C540BF6F7 C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:7244
- - C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla3.exe
    "C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6852
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34DD8BAEBAE103088F7099ED0191C8AA
  2⤵
  - Loads dropped DLL
  PID:7524
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI86Talk.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2888
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TIConnect\CreatorFinder.dll"
  2⤵
  - Loads dropped DLL
  PID:3248
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIErrorString.dll"
  2⤵
  - Loads dropped DLL
  PID:4328
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI89TTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:5988
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDirect.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:6708
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TICBL2Talk.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5236
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI92Talk.dll"
  2⤵
  - Loads dropped DLL
  PID:5096
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI83PTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:6440
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIShlExt.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2652
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TISerialB.dll"
  2⤵
  - Loads dropped DLL
  PID:5688
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TISerial.dll"
  2⤵
  - Loads dropped DLL
  PID:6188
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIPic.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5420
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIFontUtility.dll"
  2⤵
  - Loads dropped DLL
  PID:4152
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI73Talk.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:684
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIVarEx.dll"
  2⤵
  - Loads dropped DLL
  PID:6532
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI84PTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:4384
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIAppVar.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3904
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI92PTalk.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1860
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TICBRTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:380
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\CARSTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:5372
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TI83Talk.dll"
  2⤵
  - Loads dropped DLL
  PID:6592
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx.dll"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  PID:5016
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGrpEx.dll"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  PID:4944
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIUSB.dll"
  2⤵
  - Loads dropped DLL
  PID:2796
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TICBLTalk.dll"
  2⤵
  - Loads dropped DLL
  PID:7076
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIPreferences.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:8076
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIV200Talk.dll"
  2⤵
  - Loads dropped DLL
  PID:7112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4754B96F87BE310F65BA9D4314C52911 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:7964
- - C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla.exe
    "C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:5980
  - - C:\PROGRA~2\COMMON~1\TISHAR~1\TIC_DR~1\x64\dpinst.exe
      "C:\PROGRA~2\COMMON~1\TISHAR~1\TIC_DR~1\x64\dpinst.exe" /S /SE
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies data under HKEY_USERS
      PID:6196
- - C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla11.exe
    "C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla11.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:8064
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Windows\system32\comctl32.ocx"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:7900
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Windows\system32\mscomct2.ocx"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIFileMn.dll
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TiAbout.dll
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TIConnect\TIGroupMgr.dll
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDataConverter.dll
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIDetect.dll
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TITransfer.dll
      4⤵
      Executes dropped EXE
      PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIVar.dll
      4⤵
      Executes dropped EXE
      PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Program Files (x86)\TI Education\\TI Connect\TIBackupRestore.dll
      4⤵
      Executes dropped EXE
      PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Windows\System32\atl71.dll
      4⤵
      Executes dropped EXE
      PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Windows\System32\MFC71.dll
      4⤵
      Executes dropped EXE
      PID:6288
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Windows\System32\MFC71u.dll
      4⤵
      Executes dropped EXE
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Windows\System32\msvcp71.dll
      4⤵
      Executes dropped EXE
      PID:220
  - - C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJ85AB.tmp" C:\Windows\System32\msvcr71.dll
      4⤵
      Executes dropped EXE
      PID:7568
- - C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla12.exe
    "C:\Windows\D06BA64C444749B4B99DE85BEA9E1035.TMP\WiseCustomCalla12.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5356
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\TI Shared\TalkTI\TIVar.dll"
      4⤵
      PID:7768
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\TI Education\\TI Connect\TIAutoUpgrade.dll"
      4⤵
      PID:8108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:528
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "c:\progra~2\common~1\tishar~1\tic_dr~1\x64\silvrlnk.inf" "9" "40de13fdf" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\progra~2\common~1\tishar~1\tic_dr~1\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5856
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "c:\progra~2\common~1\tishar~1\tic_dr~1\x64\tiehdusb.inf" "9" "4151d196f" "0000000000000178" "WinSta0\Default" "0000000000000180" "208" "c:\progra~2\common~1\tishar~1\tic_dr~1\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:6096

C:\Program Files (x86)\TI Education\TI Connect\TIConnect.exe
"C:\Program Files (x86)\TI Education\TI Connect\TIConnect.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6292
- C:\Program Files (x86)\TI Education\TI Connect\TIConnect.exe
  "C:\Program Files (x86)\TI Education\TI Connect\TIConnect.exe" updatecheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:7640
- C:\Program Files (x86)\TI Education\TI Connect\TIDataEditor.exe
  "C:\Program Files (x86)\TI Education\TI Connect\TIDataEditor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5124
- C:\Program Files (x86)\TI Education\TI Connect\TIDataEditor.exe
  "C:\Program Files (x86)\TI Education\TI Connect\TIDataEditor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:7852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7152

C:\Windows\system32\cleanmgr.exe
"C:\Windows\system32\cleanmgr.exe"
1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:4536
- C:\Users\Admin\AppData\Local\Temp\F8C43F56-EB24-4D1B-816B-F1180C75DCC7\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\F8C43F56-EB24-4D1B-816B-F1180C75DCC7\dismhost.exe {90DA0626-823A-44DA-996B-10131D1236B4}
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6424
- C:\Windows\system32\wermgr.exe
  wermgr.exe -purgestores
  2⤵
  PID:6156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5520

C:\Windows\system32\cleanmgr.exe
"C:\Windows\system32\cleanmgr.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6400
- C:\Users\Admin\AppData\Local\Temp\898569B4-28A7-4156-A11A-7AF377C715F9\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\898569B4-28A7-4156-A11A-7AF377C715F9\dismhost.exe {1D3061EC-2FA4-4A00-B4EE-A2C8AF685DC6}
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5588

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1384
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:4276
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Adds Run key to start application
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:7704
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      PID:1080
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Checks system information in the registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5676

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:7968

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:7468
- C:\Windows\system32\dashost.exe
  dashost.exe {ad6b7562-06a8-403f-95112cc1d532f39b}
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery