5bb2af4f0e70623e1ce277a4cd0c0c27e51890541e34f0e9a1e5b81ce4a12324

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	TLauncher-2.919-Installer-1.3.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	TLauncher-2.919-Installer-1.3.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	TLauncher-2.919-Installer-1.3.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Transformice.exe

Executes dropped EXE 36 IoCs

pid	Process
3168	tapinstall.exe
872	tapinstall.exe
4508	bvpn.exe
2464	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
4404	uninst.exe
920	Au_.exe
2768	tapinstall.exe
3236	tapinstall.exe
1132	bVPN_2_5_5_setup.exe
2576	waselvpnserv.exe
1548	waselvpnserv.exe
4376	waselvpnserv.exe
3276	taptool.exe
3412	devcon.exe
4508	bvpn.exe
4128	bvpn.exe
6100	openvpn-wasel.exe
5468	bvpn.exe
3996	bvpn.exe
2780	openvpn-wasel.exe
5876	Transformice.exe
4352	Install Transformice.exe
3364	TLauncher-2.919-Installer-1.3.3.exe
4880	irsetup.exe
5252	TLauncher-2.919-Installer-1.3.3.exe
3504	irsetup.exe
2076	7z2404-x64.exe
3504	7zG.exe
5780	7zFM.exe
6016	TLauncher-2.919-Installer-1.3.3.exe
1784	irsetup.exe
6876	irsetup.exe
6764	irsetup.exe
6748	TLauncher.exe
2896	TLauncher.exe

Loads dropped DLL 64 IoCs

pid	Process
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
2464	bVPN_2_5_5_setup.exe
2464	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
920	Au_.exe
920	Au_.exe
920	Au_.exe
920	Au_.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
2576	waselvpnserv.exe
1132	bVPN_2_5_5_setup.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
1548	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
4376	waselvpnserv.exe
1132	bVPN_2_5_5_setup.exe
3276	taptool.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4800	icacls.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000002373a-3769.dat	upx
behavioral1/memory/4880-3774-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/4880-4395-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/3504-4428-0x0000000000EF0000-0x00000000012D9000-memory.dmp	upx
behavioral1/memory/3504-5021-0x0000000000EF0000-0x00000000012D9000-memory.dmp	upx
behavioral1/memory/1784-6302-0x0000000000FB0000-0x0000000001399000-memory.dmp	upx
behavioral1/memory/1784-6903-0x0000000000FB0000-0x0000000001399000-memory.dmp	upx
behavioral1/files/0x0009000000023f82-7632.dat	upx
behavioral1/memory/6876-7637-0x0000000000110000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/6876-7729-0x0000000000110000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/6764-7741-0x0000000000CD0000-0x00000000010B8000-memory.dmp	upx
behavioral1/memory/6764-7901-0x0000000000CD0000-0x00000000010B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\""	bVPN_1_7_0_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\""	bvpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\""	bVPN_2_5_5_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\tapbvpn.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\tapbvpn.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET134.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET155.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET9859.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\oemvista.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET134.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET144.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET155.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\tapbvpn.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\oemwin2k.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET9859.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\tapbvpn.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET144.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\tap0901.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\imageformats\qgif.dll	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\libeay32.dll	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\libpkcs11-helper-1.dll	bVPN_1_7_0_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\msvcp120.dll	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\tapbvpn\i386\tapbvpn.cat	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\Qt5Gui.dll	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tap0901.cat	bVPN_1_7_0_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\quazip.dll	bVPN_1_7_0_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\tap0901\i386\tap0901.sys	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\qsmoke.dll	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe	Au_.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\imageformats\qico.dll	bVPN_2_5_5_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\debug_helper.exe	bVPN_1_7_0_setup.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tap0901.cat	Au_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tapinstall.exe	Au_.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\libpkcs11-helper-1.dll	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe	bVPN_1_7_0_setup.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\tap0901_legacy\amd64\OemWin2k.inf	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe	Au_.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\openvpn.exe	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tap0901.sys	Au_.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\srv.log	waselvpnserv.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\tap0901_legacy\i386\tap0901.cat	bVPN_2_5_5_setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2404-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2404-x64.exe
File created	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\lzo2.dll	bVPN_1_7_0_setup.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\ssleay32.dll	Au_.exe
File opened for modification	C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\OemWin2k.inf	Au_.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2404-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2404-x64.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133575984292529165"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WF_SERVICE_NPV_FF56A4C7	bvpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2288054676-1871194608-3559553667-1000\{5AB2B366-111D-482A-A17C-23F450CB8D1D}	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4508	bvpn.exe
4128	bvpn.exe
5468	bvpn.exe
3996	bvpn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	bVPN_1_7_0_setup.exe
452	bVPN_1_7_0_setup.exe
4508	bvpn.exe
4508	bvpn.exe
2824	chrome.exe
2824	chrome.exe
2464	bVPN_2_5_5_setup.exe
2464	bVPN_2_5_5_setup.exe
2464	bVPN_2_5_5_setup.exe
2464	bVPN_2_5_5_setup.exe
2464	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
3640	bVPN_2_5_5_setup.exe
920	Au_.exe
920	Au_.exe
2572	chrome.exe
2572	chrome.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1132	bVPN_2_5_5_setup.exe
1808	bvpn.exe
1808	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
968	msedge.exe
968	msedge.exe
4968	msedge.exe
4968	msedge.exe
6100	openvpn-wasel.exe
6100	openvpn-wasel.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
4128	bvpn.exe
1132	bVPN_2_5_5_setup.exe
5680	taskmgr.exe
3996	bvpn.exe
5780	7zFM.exe
3340	msdt.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
4968	msedge.exe
4968	msedge.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
3452	msedge.exe
3452	msedge.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe
2496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAuditPrivilege	4176	svchost.exe
Token: SeSecurityPrivilege	4176	svchost.exe
Token: SeLoadDriverPrivilege	872	tapinstall.exe
Token: SeRestorePrivilege	3480	DrvInst.exe
Token: SeBackupPrivilege	3480	DrvInst.exe
Token: SeLoadDriverPrivilege	3480	DrvInst.exe
Token: SeLoadDriverPrivilege	3480	DrvInst.exe
Token: SeLoadDriverPrivilege	3480	DrvInst.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: 33	3000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3000	AUDIODG.EXE
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe
Token: SeShutdownPrivilege	2824	chrome.exe
Token: SeCreatePagefilePrivilege	2824	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
4508	bvpn.exe
1132	bVPN_2_5_5_setup.exe
1808	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4508	bvpn.exe
4508	bvpn.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
2824	chrome.exe
4508	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4128	bvpn.exe
4128	bvpn.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe
5680	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
4508	bvpn.exe
3640	bVPN_2_5_5_setup.exe
4404	uninst.exe
920	Au_.exe
2768	tapinstall.exe
3236	tapinstall.exe
1132	bVPN_2_5_5_setup.exe
2576	waselvpnserv.exe
1548	waselvpnserv.exe
4376	waselvpnserv.exe
3276	taptool.exe
3412	devcon.exe
1808	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
1808	bvpn.exe
4508	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
4128	bvpn.exe
2772	iwasel_pro_updater.exe
2772	iwasel_pro_updater.exe
4600	iwasel_pro_updater.exe
4600	iwasel_pro_updater.exe
4128	bvpn.exe
5468	bvpn.exe
3276	bvpn.exe
3276	bvpn.exe
3276	bvpn.exe
3276	bvpn.exe
3276	bvpn.exe
964	tapinstall.exe
228	tapinstall.exe
372	bvpn.exe
5280	bvpn.exe
5280	bvpn.exe
5280	bvpn.exe
5280	bvpn.exe
5144	bvpn.exe
3996	bvpn.exe
3996	bvpn.exe
3996	bvpn.exe
3996	bvpn.exe
4880	irsetup.exe
4880	irsetup.exe
4880	irsetup.exe
4880	irsetup.exe
5252	TLauncher-2.919-Installer-1.3.3.exe
3504	irsetup.exe
3504	irsetup.exe
3504	irsetup.exe
3504	irsetup.exe
3504	irsetup.exe
1784	irsetup.exe
1784	irsetup.exe
1784	irsetup.exe
1784	irsetup.exe
1784	irsetup.exe
6876	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3168	452	bVPN_1_7_0_setup.exe	93
PID 452 wrote to memory of 3168	452	bVPN_1_7_0_setup.exe	93
PID 452 wrote to memory of 872	452	bVPN_1_7_0_setup.exe	95
PID 452 wrote to memory of 872	452	bVPN_1_7_0_setup.exe	95
PID 4176 wrote to memory of 2912	4176	svchost.exe	98
PID 4176 wrote to memory of 2912	4176	svchost.exe	98
PID 2912 wrote to memory of 4908	2912	DrvInst.exe	99
PID 2912 wrote to memory of 4908	2912	DrvInst.exe	99
PID 4176 wrote to memory of 3480	4176	svchost.exe	100
PID 4176 wrote to memory of 3480	4176	svchost.exe	100
PID 452 wrote to memory of 4508	452	bVPN_1_7_0_setup.exe	104
PID 452 wrote to memory of 4508	452	bVPN_1_7_0_setup.exe	104
PID 452 wrote to memory of 4508	452	bVPN_1_7_0_setup.exe	104
PID 2824 wrote to memory of 2972	2824	chrome.exe	110
PID 2824 wrote to memory of 2972	2824	chrome.exe	110
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 4496	2824	chrome.exe	111
PID 2824 wrote to memory of 1980	2824	chrome.exe	112
PID 2824 wrote to memory of 1980	2824	chrome.exe	112
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113
PID 2824 wrote to memory of 2832	2824	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\bVPN_1_7_0_setup.exe
"C:\Users\Admin\AppData\Local\Temp\bVPN_1_7_0_setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe" remove tap0901
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3168
- C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall" install "C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\OemWin2k.inf" tap0901
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{557ee188-e804-7d49-aa73-a5c0a156af5d}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\bvpn service\bvpn\openvpn\tap\win64"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{807efcc0-27f0-cd44-a655-5c8259402471} Global\{c01c0a3b-fec6-9849-a929-b2659ab739bd} C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\oemwin2k.inf C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\tap0901.cat
    3⤵
    PID:4908
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000138"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbd3f2ab58,0x7ffbd3f2ab68,0x7ffbd3f2ab78
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1916
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff646e5ae48,0x7ff646e5ae58,0x7ff646e5ae68
    3⤵
    PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4692 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5108 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3512 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5336 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3508 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe
  "C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5380 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4180 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3152 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5332 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4336 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4620 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6048 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=2688 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=1528 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5696 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5076 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=2472 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5760 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5744 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5672 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6072 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=2552 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=4592 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=4552 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=5652 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=2548 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6392 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=5052 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6572 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=4820 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6524 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6908 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 --field-trial-handle=1924,i,94828038574894013,8280906742885050692,131072 /prefetch:8
  2⤵
  PID:6108
- C:\Users\Admin\Downloads\Transformice.exe
  "C:\Users\Admin\Downloads\Transformice.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\AIR26ED.tmp\Install Transformice.exe
    "C:\Users\Admin\AppData\Local\Temp\AIR26ED.tmp\Install Transformice.exe"
    3⤵
    - Executes dropped EXE
    PID:4352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe
"C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe
"C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Program Files (x86)\bVPN Service\bVPN\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:920
- - C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tapinstall.exe
    "C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tapinstall.exe" remove tap0901
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe
    "C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe" remove tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:3236

C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe
"C:\Users\Admin\Downloads\bVPN_2_5_5_setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1132
- C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe" -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe" -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Program Files (x86)\bVPN Service\bVPN\taptool.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\taptool.exe" --installauto
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3276
- - C:\Program Files (x86)\bVPN Service\bVPN\devcon\amd64\devcon.exe
    "C:\Program Files (x86)\bVPN Service\bVPN\devcon\amd64\devcon.exe" install "C:\Program Files (x86)\bVPN Service\bVPN\tapbvpn\amd64\OemVista.inf" tapbvpn
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:3412

C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe
"C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4376
- C:\Windows\SysWOW64\netsh.exe
  netsh int ip set interface "interface=Ethernet 2" metric=1
  2⤵
  PID:6008
- C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe" --remote 127.0.0.1 49743 udp --dev tun --client --resolv-retry infinite --nobind --persist-key --ns-cert-type server --comp-lzo --verb 3 --reneg-sec 0 --mssfix 1400 --route-delay 2 --redirect-gateway --auth-user-pass --hand-window 10 --block-outside-dns --explicit-exit-notify --management 127.0.0.1 58016 --management-client --management-query-passwords --management-hold --ca "C:\Users\Admin\AppData\Local\bVPN Service\bVPN\castore\uk.eu.bvpn.com.crt" --route 51.255.68.135 255.255.255.255 vpn_gateway --route 51.89.183.16 255.255.255.255 net_gateway --log "C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv_openvpn.log" --dev-node {CE1EECDD-F5A4-41E4-AC8E-7E823122FB50}
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6100
- C:\Windows\SysWOW64\netsh.exe
  netsh int ip set interface "interface=Ethernet 2" metric=1
  2⤵
  PID:5196
- C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe
  "C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe" --remote 127.0.0.1 53481 udp --dev tun --client --resolv-retry infinite --nobind --persist-key --ns-cert-type server --comp-lzo --verb 3 --reneg-sec 0 --mssfix 1400 --route-delay 2 --redirect-gateway --auth-user-pass --hand-window 10 --block-outside-dns --explicit-exit-notify --management 127.0.0.1 52113 --management-client --management-query-passwords --management-hold --ca "C:\Users\Admin\AppData\Local\bVPN Service\bVPN\castore\streamtv.uk.bvpn.com.crt" --route 51.255.68.135 255.255.255.255 vpn_gateway --route 92.223.59.61 255.255.255.255 net_gateway --log "C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv_openvpn.log" --dev-node {CE1EECDD-F5A4-41E4-AC8E-7E823122FB50}
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4932
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f28af6d9-4071-f747-9895-b286dd108365}\oemvista.inf" "9" "4ef4192a7" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\bvpn service\bvpn\tapbvpn\amd64"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4344
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{eab4fa66-fd19-7e4b-9ce2-2ac8fffa7522} Global\{198a1c06-6079-3246-9cd4-5a1a9733512b} C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\tapbvpn.cat
    3⤵
    PID:620
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tapbvpn.ndi:9.0.0.21:tapbvpn," "4ef4192a7" "0000000000000168"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:2708

C:\Users\Admin\Desktop\bVPN\bvpn.exe
"C:\Users\Admin\Desktop\bVPN\bvpn.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Users\Admin\Desktop\bVPN\iwasel_pro_updater.exe
"C:\Users\Admin\Desktop\bVPN\iwasel_pro_updater.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Users\Admin\Desktop\bVPN\iwasel_pro_updater.exe
"C:\Users\Admin\Desktop\bVPN\iwasel_pro_updater.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bvpn.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe31446f8,0x7ffbe3144708,0x7ffbe3144718
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13089254954967800229,6501498103058876502,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,13089254954967800229,6501498103058876502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,13089254954967800229,6501498103058876502,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13089254954967800229,6501498103058876502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13089254954967800229,6501498103058876502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4412

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5680

C:\Users\Admin\Desktop\bVPN\bvpn.exe
"C:\Users\Admin\Desktop\bVPN\bvpn.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bvpn.com/en/accounts/register/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbe31446f8,0x7ffbe3144708,0x7ffbe3144718
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:5780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,8421252022838299524,8732774965751002486,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3864 /prefetch:8
    3⤵
    PID:2808
- C:\Users\Admin\Desktop\bVPN\openvpn\tap\win64\tapinstall.exe
  C:\Users\Admin\Desktop\bVPN\openvpn\tap\win64\tapinstall.exe remove tap0901
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Users\Admin\Desktop\bVPN\openvpn\tap\win64\tapinstall.exe
  C:\Users\Admin\Desktop\bVPN\openvpn\tap\win64\tapinstall.exe install C:\Users\Admin\Desktop\bVPN\openvpn\tap\win64\OemWin2k.inf tap0901
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4960
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "000000000000013C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  PID:6128

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
PID:5580

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
PID:548

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:372

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe
"C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffbd3f2ab58,0x7ffbd3f2ab68,0x7ffbd3f2ab78
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:2
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4588 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5052 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5076 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5280 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3688
- C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe
  "C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-2288054676-1871194608-3559553667-1000"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4364 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5368 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2416 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5744 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5748 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3440 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5896 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4596 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3364 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:8
  2⤵
  PID:5572
- C:\Users\Admin\Downloads\7z2404-x64.exe
  "C:\Users\Admin\Downloads\7z2404-x64.exe"
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5724 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5736 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3368 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=2312 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=4788 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6100 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5784 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5932 --field-trial-handle=1616,i,17890867258835381664,5110662302368824584,131072 /prefetch:1
  2⤵
  PID:336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5456

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\01eddc3458684f62a41d5fdf6017236c /t 4400 /p 4880
1⤵
PID:5444

C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe
"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5252
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-2288054676-1871194608-3559553667-1000"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3504

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\248255da891a4f688a779f90df21cc12 /t 4316 /p 3504
1⤵
PID:852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3779:124:7zEvent21490
1⤵
- Executes dropped EXE
PID:3504

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5780

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" ContextMenu
1⤵
PID:4912
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWD58.xml /skip TRUE
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3340
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"
    3⤵
    - Checks computer location settings
    PID:5868
  - - C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe
      "C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-2288054676-1871194608-3559553667-1000"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:4796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x2z4zhsh\x2z4zhsh.cmdline"
  2⤵
  PID:1860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1111.tmp" "c:\Users\Admin\AppData\Local\Temp\x2z4zhsh\CSC3C374F7610EF4F628CA6504B36395B1.TMP"
    3⤵
    PID:6076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwaffyna\fwaffyna.cmdline"
  2⤵
  PID:2304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES116F.tmp" "c:\Users\Admin\AppData\Local\Temp\fwaffyna\CSCCCECB953E68A42C38CABCF34B7F2F98E.TMP"
    3⤵
    PID:5928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wilg3hxb\wilg3hxb.cmdline"
  2⤵
  PID:372
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1631.tmp" "c:\Users\Admin\AppData\Local\Temp\wilg3hxb\CSCC68CDD6694D8488C9BF7C617EB6E38A.TMP"
    3⤵
    PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd3f2ab58,0x7ffbd3f2ab68,0x7ffbd3f2ab78
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:2
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4644 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4808 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4520 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4304 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3968 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3544 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5028 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2268 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3192 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4092 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5180 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5300 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5508 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5660 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5848 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5852 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6168 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6300 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5960 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5448 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5964 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6912 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6848 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7080 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6780 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7100 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5804 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6832 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6020 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6208 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6336 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6284 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6396 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6876 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7684 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7824 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6280 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6408 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=7860 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=7696 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=8468 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=8600 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=8876 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=9064 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=8120 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=8456 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=7580 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9136 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=5844 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=5592 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=6968 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=5868 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6976 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=9148 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=7352 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=8472 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=8304 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=6348 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=8432 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=7620 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=7596 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=7936 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=9268 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=9400 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=9604 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=9636 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:6488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=9300 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=9900 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=10216 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=10220 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10292 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:7724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=8964 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=8884 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=8972 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=9004 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:7756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=8832 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:8084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=10284 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8780 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:6152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8216 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8368 --field-trial-handle=1936,i,3911886281490970333,11335307702797092818,131072 /prefetch:2
  2⤵
  PID:2200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
PID:2916

C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe
"C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe"
1⤵
PID:6888
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe" __IRAOFF:1905802 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:15291107" "__IRSID:S-1-5-21-2288054676-1871194608-3559553667-1000"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6876

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c44c6d49c5e34c13bece20911d3d4c91 /t 6716 /p 6876
1⤵
PID:2456

C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe
"C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe"
1⤵
PID:7768
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_4\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_4\irsetup.exe" __IRAOFF:1905802 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.53-Installer-0.5.2\TLauncher-2.53-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:15291107" "__IRSID:S-1-5-21-2288054676-1871194608-3559553667-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6764
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:6748
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      PID:7612
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:4800
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xmx384m -cp C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extentions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\net\sf\jopt-simple\jopt-simple\4.9\jopt-simple-4.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tukaani\xz\1.5\xz-1.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\picture-bundle\2.6\picture-bundle-2.6.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\skin-server-API\1.0\skin-server-API-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\tlauncher-resource\1.4\tlauncher-resource-1.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\github\junrar\junrar\0.7\junrar-0.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\dnsjava\dnsjava\2.1.8\dnsjava-2.1.8.jar; org.tlauncher.tlauncher.rmo.TLauncher
        5⤵
        Drops file in Program Files directory
        
        PID:6756

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2896
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  PID:4352
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xmx384m -cp C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extentions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\net\sf\jopt-simple\jopt-simple\4.9\jopt-simple-4.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tukaani\xz\1.5\xz-1.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\picture-bundle\2.6\picture-bundle-2.6.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\skin-server-API\1.0\skin-server-API-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\tlauncher-resource\1.4\tlauncher-resource-1.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\github\junrar\junrar\0.7\junrar-0.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\dnsjava\dnsjava\2.1.8\dnsjava-2.1.8.jar; org.tlauncher.tlauncher.rmo.TLauncher
    3⤵
    PID:4792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery