2dbd1033a26118d27915184864ad2a0add89d5ee3153eca157fadaa62ad19af5

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
283	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
4568	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
10784	CefSharp.BrowserSubprocess.exe
3928	CefSharp.BrowserSubprocess.exe
5668	CefSharp.BrowserSubprocess.exe
3940	CefSharp.BrowserSubprocess.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	an53gnk4.wlz

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	wavebrowser.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Driver Support One\CefSharp.Core.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Data.SQLite.Linq.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.SignalR.Common.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DotNetty.Handlers.dll	DSOneWeb.exe
File opened for modification	C:\Program Files (x86)\Driver Support One\System.Text.Encodings.Web.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.WindowsAPICodePack.Shell.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Uninstall.exe	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\WICAnimatedGif.exe	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DriverSupport.One.Service.Model.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Authorization.Policy.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\vulkan-1.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\TriggerEngine.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Http.Connections.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Threading.Channels.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdaterComRegisterShell64.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\snapshot_blob.bin	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Authorization.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.SignalR.Client.dll	DSOneWeb.exe
File opened for modification	C:\Program Files (x86)\Driver Support One\System.Numerics.Vectors.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.Extensions.Configuration.Binder.dll	DSOneWeb.exe
File opened for modification	C:\Program Files (x86)\Driver Support One\sqlite.db-journal	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\ServiceLib.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DSOneWebShutdown.exe	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\SQLite.Interop.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Http.Connections.Common.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DotNetty.Buffers.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.Azure.Devices.Client.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.Bcl.AsyncInterfaces.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.Extensions.Configuration.dll	DSOneWeb.exe
File opened for modification	C:\Program Files (x86)\Driver Support One\DBPersist.db	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdaterCore.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\LiteDB.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdaterSetup.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\icudtl.dat	DSOneWeb.exe
File opened for modification	C:\Program Files (x86)\Driver Support One\JitDriverLib.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\sqlite3.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdater.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\d3dcompiler_47.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\vk_swiftshader.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Polly.Extensions.Http.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.SignalR.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\an53gnk4.wlz	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\libGLESv2.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Management.Automation.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DnsClient.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Hosting.Server.Abstractions.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.Rest.ClientRuntime.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Security.Principal.Windows.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Text.Encodings.Web.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\psmachine_64.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\DSOne.exe	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Azure.Core.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\DotNetty.Common.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\CefSharp.WinForms.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\AsurvioSnmpLib.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Microsoft.AspNetCore.Hosting.Abstractions.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Diagnostics.DiagnosticSource.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Common45.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\HookLib.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Text.Json.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\System.Threading.Tasks.Extensions.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Driver Support One\Asurvio.Client.Common.dll	DSOneWeb.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\swupdater.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Driver Support One\IotLib.dll	DSOneWeb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFD155F4B986E4F873.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_755788499\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_527266860\ct_config.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_218725684\safety_tips.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\~DF968BA27DEF7B79CE.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1734092715\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_2045963759\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_2045963759\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1076273682\LICENSE	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_218725684\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1537380018\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_82625399\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_574807225\_metadata\verified_contents.json	wavebrowser.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\c_processor.PNF	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3008_794023224\manifest.json	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_539337563\crl-set	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_539337563\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_755788499\LICENSE.txt	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_755788499\Filtering Rules	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_527266860\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_82625399\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\Installer\e591989.msi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_539337563\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_527266860\crs.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_527266860\manifest.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1635765304\manifest.fingerprint	wavebrowser.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\INF\c_display.PNF	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1734092715\privacy-sandbox-attestations.dat	wavebrowser.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e59199c.msi	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3008_794023224\manifest.fingerprint	DSOneWeb.exe
File created	C:\Windows\Installer\SourceHash{3407B900-37F5-4CC2-B612-5CD5D580A163}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6177CBDFB7A68715.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_539337563\LICENSE	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1076273682\_platform_specific\win_x64\widevinecdm.dll	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1076273682\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_218725684\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_82625399\optimization-hints.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_574807225\manifest.json	wavebrowser.exe
File opened for modification	C:\Windows\Installer\e591989.msi	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3008_794023224\_metadata\verified_contents.json	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_755788499\manifest.json	wavebrowser.exe
File created	C:\Windows\Installer\SourceHash{F4499EE3-A166-496C-81BB-51D1BCDC70A9}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF898BF3E080437E1B.TMP	msiexec.exe
File created	C:\Windows\INF\c_diskdrive.PNF	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3008_794023224\_platform_specific\win_x64\widevinecdm.dll.sig	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_539337563\manifest.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_755788499\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1537380018\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_1635765304\manifest.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_574807225\metadata.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_574807225\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3008_794023224\LICENSE	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_2045963759\download_file_types.pb	wavebrowser.exe
File created	C:\Windows\INF\c_monitor.PNF	DSOneWeb.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8404_2045963759\manifest.json	wavebrowser.exe
File opened for modification	C:\Windows\Installer\MSI1F29.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF58EC475A6DE191F8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20EF.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DriverUpdate.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Wave Browser.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
9728	powershell.exe
2216	powershell.exe
7732	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebCompanion-Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller-v1.5.18.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebCompanion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebCompanion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwjd1ewy.yjt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DSOneWeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WicAnimatedGif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	an53gnk4.wlz
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdaterSetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
5980	SWUpdater.exe
9244	SWUpdater.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

System Time Discovery

T1124

pid	Process
9728	powershell.exe
5292	dotnet.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000400000002aafb-670.dat	nsis_installer_1
behavioral1/files/0x000400000002aafb-670.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 23 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	an53gnk4.wlz
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DSOneWeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b38cc7aac7e825c30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b38cc7aa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b38cc7aa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db38cc7aa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b38cc7aa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DSOneWeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DSOneWeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DSOneWeb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	an53gnk4.wlz
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DSOneWeb.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WebCompanion.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WebCompanion.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wavebrowser.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wavebrowser.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676053143284932"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{3BE77C6E-0029-4F24-B677-32C9E15CD8F1}\NumMethods	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{64A19E70-BCFF-4808-A320-774FD11571E5}\NumMethods\ = "4"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WavesorSWUpdater.CredentialDialogUser\ = "SWUpdater CredentialDialog"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{CEF9DF20-AE5B-4A54-B479-9C2AFC1C2683}\ = "IPolicyStatus"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\ = "IJobObserver2"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}\NumMethods\ = "13"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}\NumMethods\ = "10"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{92333BDA-3022-4A7F-8858-081260EA85DE}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}\NumMethods	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WavesorSWUpdater.CredentialDialogUser.1.0	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{CEF9DF20-AE5B-4A54-B479-9C2AFC1C2683}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{730EBDF4-7AD2-4516-BF1A-6C6F28C60CF9}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\VersionIndependentProgID	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E4E159E0-7B9C-4D75-AC11-A80628173DE3}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Version = "14.32.31332.0"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E4E4854F-9D7B-4120-A207-CF52C875F08E}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{730EBDF4-7AD2-4516-BF1A-6C6F28C60CF9}\NumMethods\ = "6"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\NumMethods	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}\ProxyStubClsid32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{617E37E1-AC79-4162-BACC-C797A1D31D3E}\NumMethods\ = "5"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{50363C3E-2FB2-4EC0-A827-CD3314F526C5}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{CEF9DF20-AE5B-4A54-B479-9C2AFC1C2683}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WaveBrwsHTM.HG6QSHMIR7V6ESS3JVFWG44V4A\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{6130C56B-9B2C-4D5D-8160-C7A583B5DC3B}\NumMethods	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\NumMethods\ = "4"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{62A51DF2-CCB8-4DD9-9069-34B8461617FC}\NumMethods\ = "10"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\ = "PSFactoryBuffer"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}\NumMethods\ = "4"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WavesorSWUpdater.Update3COMClassUser\CLSID	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{C0151E6C-8D24-485D-BEC8-B6C6C82E26E8}\NumMethods\ = "23"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}\InprocHandler32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{E44B162B-4287-40B0-8E7A-6E251D80B3DF}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Dependents\{3746f21b-c990-4045-bb33-1cf98cff7a68}	VC_redist.x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{068FAC78-4F23-4F74-99A0-F7C4797D5ECA}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WavesorSWUpdater.Update3COMClassUser.1.0	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\VersionIndependentProgID\ = "WavesorSWUpdater.CredentialDialogUser"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WavesorSWUpdater.Update3WebUser\CLSID\ = "{30FB944E-9455-49DD-81C6-7542E47AA3E7}"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\ProxyStubClsid32	SWUpdater.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DSOneWeb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DSOneWeb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DSOneWeb.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Wave Browser.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\DriverUpdate.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\n̵̛̗o̵̘̔t̴̽͜ ̴̮̈ǎ̴̖ ̶̡͝v̴̮͝i̵̟͂r̷̖͐ú̶͕ṡ̴͙.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	chrome.exe
2268	chrome.exe
1480	chrome.exe
1480	chrome.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
3136	msiexec.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1828	WebCompanion-Installer.exe
1828	WebCompanion-Installer.exe
1828	WebCompanion-Installer.exe
1828	WebCompanion-Installer.exe
1828	WebCompanion-Installer.exe
1828	WebCompanion-Installer.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
5852	DSOneWebWD.exe
5852	DSOneWebWD.exe
5852	DSOneWebWD.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
5856	WebCompanion.exe
5856	WebCompanion.exe
3928	CefSharp.BrowserSubprocess.exe
3928	CefSharp.BrowserSubprocess.exe
5668	CefSharp.BrowserSubprocess.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	2268	chrome.exe
Token: SeCreatePagefilePrivilege	2268	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
7792	WebCompanion.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
3008	DSOneWeb.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
8404	wavebrowser.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5952	DriverUpdate.exe
5208	vc_redist.exe
5412	vc_redist.exe
5184	VC_redist.x64.exe
3908	VC_redist.x64.exe
6960	VC_redist.x64.exe
6184	VC_redist.x64.exe
6168	DSOneWeb.exe
3692	WicAnimatedGif.exe
3692	WicAnimatedGif.exe
2356	kwjd1ewy.yjt

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2016	1152	cmd.exe	79
PID 1152 wrote to memory of 2016	1152	cmd.exe	79
PID 2268 wrote to memory of 4428	2268	chrome.exe	83
PID 2268 wrote to memory of 4428	2268	chrome.exe	83
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 4548	2268	chrome.exe	84
PID 2268 wrote to memory of 232	2268	chrome.exe	85
PID 2268 wrote to memory of 232	2268	chrome.exe	85
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86
PID 2268 wrote to memory of 976	2268	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\text.txt
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\text.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1e7ecc40,0x7ffc1e7ecc4c,0x7ffc1e7ecc58
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,13641674365666040826,3699785444393386746,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:2752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1e7ecc40,0x7ffc1e7ecc4c,0x7ffc1e7ecc58
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=1912 /prefetch:3
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4252
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7aa8a4698,0x7ff7aa8a46a4,0x7ff7aa8a46b0
    3⤵
    - Drops file in Windows directory
    PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4416,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4308,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3404,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5252,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3360,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5224,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5404,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5568,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4560,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5864,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5880,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6184,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6316,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6008,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6176,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6764,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6888,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7052,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6708,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6652,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5688,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6500,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5764,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5752,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7344,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5820,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7024,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7772,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7640 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7940,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8076,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8100 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7232,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6180,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8124,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8232,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8536,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8420 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8672,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8680 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=9128,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9044 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8280,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=8852,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8964 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8928,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9200 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9388,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9340 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=8416,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=8120,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8136 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9104,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8996 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=8552,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9112 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=8736,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=8240,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8340 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=9300,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8876 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=9064,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9108 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=9604,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9600 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=8504,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8364 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=8168,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8716 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=8744,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9308 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=8112,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9384 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=9812,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9852 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=10100,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10216 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=9796,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10512 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=10636,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10640 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=10628,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10404 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=9816,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10820 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=9924,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10932 /prefetch:8
  2⤵
  PID:7056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=9940,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9856 /prefetch:8
  2⤵
  PID:7064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=10368,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11076 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=10220,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10092 /prefetch:1
  2⤵
  PID:6440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=11064,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9152 /prefetch:1
  2⤵
  PID:6356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5660,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - NTFS ADS
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=5616,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=3544,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9948 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=5332,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=8884,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9840 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=6432,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=10856,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:6568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=6244,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8516 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=9900,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10660 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=6256,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=6204,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=8820,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8264 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=5556,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=11076,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9584 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=5640,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:6168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=4520,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9840 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=7504,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7732 /prefetch:1
  2⤵
  PID:6668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=6896,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10880 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=5860,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=4756,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=5708,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=6216,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=9144,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10344 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=5416,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10212 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=9040,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9028 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=8796,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=5004,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:6152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=9148,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=5484,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9488 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=8256,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --field-trial-handle=6524,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6584,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --field-trial-handle=7628,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --field-trial-handle=7864,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7816 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --field-trial-handle=5788,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8340 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --field-trial-handle=8564,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:6280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --field-trial-handle=7876,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --field-trial-handle=6948,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --field-trial-handle=6972,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10436 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7512,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7568 /prefetch:8
  2⤵
  PID:7028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5940,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:7036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=10384,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8316 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1020
- C:\Users\Admin\Downloads\Setup.exe
  "C:\Users\Admin\Downloads\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\7zS876E1F99\WebCompanion-Installer.exe
    .\WebCompanion-Installer.exe --savename=Setup.exe --partner=IN240401 --nonadmin --direct --tych --campaign=18264794070 --version=13.900.0.1080
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
      4⤵
      System Location Discovery: System Language Discovery
      PID:4248
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh http add urlacl url=http://+:9007/ user=Everyone
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6592
  - - C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:5856
  - - C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe
      "C:\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of SendNotifyMessage
      PID:7792
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://webcompanion.com/en/install.php?partner=IN240401&campaign=18264794070&
      4⤵
      PID:7864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1e7ecc40,0x7ffc1e7ecc4c,0x7ffc1e7ecc58
        5⤵
        
        PID:7880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --field-trial-handle=4972,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9372 /prefetch:1
  2⤵
  PID:6504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --field-trial-handle=10484,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9252 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --field-trial-handle=7192,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11016 /prefetch:1
  2⤵
  PID:6976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --field-trial-handle=7680,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:7028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --field-trial-handle=11232,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11224 /prefetch:1
  2⤵
  PID:6920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --field-trial-handle=6836,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --field-trial-handle=11140,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11144 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --field-trial-handle=5336,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11068 /prefetch:1
  2⤵
  PID:6908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --field-trial-handle=10532,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10688 /prefetch:1
  2⤵
  PID:7144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --field-trial-handle=8788,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8784 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --field-trial-handle=11164,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10020 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --field-trial-handle=11080,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:6748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --field-trial-handle=11056,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --field-trial-handle=5736,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9416 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --field-trial-handle=9412,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:7412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --field-trial-handle=3780,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:7420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --field-trial-handle=7740,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:7436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --field-trial-handle=7604,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11336 /prefetch:1
  2⤵
  PID:7444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --field-trial-handle=7040,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11476 /prefetch:1
  2⤵
  PID:7452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --field-trial-handle=11696,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:10020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --field-trial-handle=11712,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11708 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --field-trial-handle=11744,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11732 /prefetch:1
  2⤵
  PID:9368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=139 --field-trial-handle=9788,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=140 --field-trial-handle=11760,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10528 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=141 --field-trial-handle=9948,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=142 --field-trial-handle=7160,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9808 /prefetch:1
  2⤵
  PID:10120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=11952,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:9932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5172,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11880 /prefetch:8
  2⤵
  PID:10116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6808,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11700 /prefetch:8
  2⤵
  PID:10140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6844,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:9948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5508,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=7364 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=11856,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11908 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7412
- C:\Users\Admin\Downloads\Wave Browser.exe
  "C:\Users\Admin\Downloads\Wave Browser.exe"
  2⤵
  - Executes dropped EXE
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1&experiments=vpro2%3don%7cSun%2c%201%20Sep%202024%2000%3a00%3a00%20%2b0300"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:6328
  - - C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdater.exe
      "C:\Program Files (x86)\Wavesor\Temp\GUMAD1A.tmp\SWUpdater.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1&experiments=vpro2%3don%7cSun%2c%201%20Sep%202024%2000%3a00%3a00%20%2b0300"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      PID:6040
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /regserver
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:7052
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6084
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9IntDMjMzMjM0RS02MDVGLTQ3QzktQjhBRC04N0UyRUZGQjY1RDB9IiB1c2VyaWQ9InthZjM4N2EwNy03N2ExLTRjNDgtYWQwOS05OWMyN2FlZDE3NzR9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezRGNUNGNUMzLTUzRDUtNDJCOC1CRTlDLTNBOTI2MjY0RDRBN30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntGNkY2MEFDRS03MUFELTQ2MTAtODBENC05MjUzNzI5RkI0Qjd9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTMzLjAiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIyNjEiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5980
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /handoff "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1&experiments=vpro2%3don%7cSun%2c%201%20Sep%202024%2000%3a00%3a00%20%2b0300" /installsource otherinstallcmd /sessionid "{C233234E-605F-47C9-B8AD-87E2EFFB65D0}"
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=149 --field-trial-handle=6516,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=10416 /prefetch:1
  2⤵
  PID:6732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=150 --field-trial-handle=8312,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=8708 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=151 --field-trial-handle=9060,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=9996 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=152 --field-trial-handle=10468,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11720 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=153 --field-trial-handle=10004,i,5546014507611164121,11285869934785158126,262144 --variations-seed-version=20240808-050142.731000 --mojo-platform-channel-handle=11980 /prefetch:1
  2⤵
  PID:2888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4844

C:\Users\Admin\Downloads\DriverUpdate.exe
"C:\Users\Admin\Downloads\DriverUpdate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5952
- C:\Users\Admin\AppData\Local\Temp\vc_redist.exe
  "C:\Users\Admin\AppData\Local\Temp\vc_redist.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5208
- - C:\Windows\Temp\{7A0FB3AA-E0E7-4739-A7D3-512939CCDFDD}\.cr\vc_redist.exe
    "C:\Windows\Temp\{7A0FB3AA-E0E7-4739-A7D3-512939CCDFDD}\.cr\vc_redist.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.exe" -burn.filehandle.attached=592 -burn.filehandle.self=712 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5412
  - - C:\Windows\Temp\{8047818C-D39E-42F3-9B91-B949C7B61F78}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{8047818C-D39E-42F3-9B91-B949C7B61F78}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{CA8A3B70-A9CA-469E-B9BF-C0CF4C0D56F9} {771B0262-5991-4B07-9377-166FC75F8A0C} 5412
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5184
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=964 -burn.embedded BurnPipe.{4520AEC1-DD33-41A8-9059-2861AACA345F} {8D09BF4B-2C35-4C9B-9853-EB674036226B} 5184
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3908
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=588 -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=964 -burn.embedded BurnPipe.{4520AEC1-DD33-41A8-9059-2861AACA345F} {8D09BF4B-2C35-4C9B-9853-EB674036226B} 5184
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6960
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0DC0C72B-AEBF-4240-89AF-2B326527DB61} {69EDD7FC-9349-4523-ABA0-DF7C4B8751E1} 6960
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6184
- C:\Users\Admin\AppData\Local\Temp\DSOneWeb.exe
  "C:\Users\Admin\AppData\Local\Temp\DSOneWeb.exe" /LANGUAGE:1033 /WELCOME_SHOWN:true /AGREE_TO_LICENSE:true /TID: /BOOTSTRAPPERPATH:"C:\Users\Admin\Downloads\DriverUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6168
- - C:\Program Files (x86)\Driver Support One\WicAnimatedGif.exe
    "C:\Program Files (x86)\Driver Support One\WicAnimatedGif.exe" -file DSOneWebInstall.Gif -timeout 120
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3692
- - C:\Program Files (x86)\Driver Support One\DSOneWeb.exe
    "C:\Program Files (x86)\Driver Support One\DSOneWeb.exe" -frontUrl:"https://front.driversupport.com" -channel:"gdn_ds1web" -install=true /epid:6168 /installPackagePath:"C:\Users\Admin\AppData\Local\Temp\DSOneWeb.exe" /updated:false /bootStrapperPath:"C:\Users\Admin\Downloads\DriverUpdate.exe" /installerID:{90AC3716-E964-46A1-BFA5-119BD1E6A85E}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:3008
  - - C:\Program Files (x86)\Driver Support One\kwjd1ewy.yjt
      "C:\Program Files (x86)\Driver Support One\kwjd1ewy.yjt"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2356
  - - C:\Program Files (x86)\Driver Support One\DSOneWebWD.exe
      "C:\Program Files (x86)\Driver Support One\DSOneWebWD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5852
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --mojo-platform-channel-handle=4968 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 --host-process-id=3008
      4⤵
      Executes dropped EXE
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3928
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --mojo-platform-channel-handle=3828 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 --host-process-id=3008
      4⤵
      Executes dropped EXE
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5668
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --mojo-platform-channel-handle=6060 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 --host-process-id=3008
      4⤵
      Executes dropped EXE
      Network Service Discovery
      PID:3940
  - - C:\Program Files (x86)\Driver Support One\an53gnk4.wlz
      "C:\Program Files (x86)\Driver Support One\an53gnk4.wlz"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:5660
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=renderer --log-severity=disable --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=6200 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --host-process-id=3008 /prefetch:1
      4⤵
      Executes dropped EXE
      Network Service Discovery
      PID:1536
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=renderer --log-severity=disable --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=6212 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --host-process-id=3008 /prefetch:1
      4⤵
      Executes dropped EXE
      Network Service Discovery
      PID:4568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-AppxPackage -Name ‘microsoftwindows.client.cbs’ | Select-Object -ExpandProperty Version
      4⤵
      PID:9380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "dotnet --info"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7732
    - - C:\Program Files\dotnet\dotnet.exe
        
        "C:\Program Files\dotnet\dotnet.exe" --info
        5⤵
        
        PID:10088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "dotnet --list-runtimes"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Time Discovery
      PID:9728
    - - C:\Program Files\dotnet\dotnet.exe
        
        "C:\Program Files\dotnet\dotnet.exe" --list-runtimes
        5⤵
        System Time Discovery
        
        PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "dotnet --list-sdks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2216
    - - C:\Program Files\dotnet\dotnet.exe
        
        "C:\Program Files\dotnet\dotnet.exe" --list-sdks
        5⤵
        
        PID:3128
  - - C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe
      "C:\Program Files (x86)\Driver Support One\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\ProgramData\Asurvio\DSOneWeb\guicache" --cefsharpexitsub --log-file="C:\Program Files (x86)\Driver Support One\debug.log" --mojo-platform-channel-handle=19440 --field-trial-handle=4972,i,1533720264964382456,13465590007717420094,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 --host-process-id=3008
      4⤵
      Network Service Discovery
      PID:10784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5724

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC
1⤵
PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1996

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2236
- C:\Users\Admin\Wavesor Software\SWUpdater\Install\{6FA8D561-BD9A-48C7-9852-BF9C9EC7C617}\WaveInstaller-v1.5.18.2.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\Install\{6FA8D561-BD9A-48C7-9852-BF9C9EC7C617}\WaveInstaller-v1.5.18.2.exe" /installerdata="C:\Users\Admin\AppData\Local\Temp\guiDB9C.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8464
- - C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\wavebrowser.packed.7z" --wid=o63izdu2 --installerdata="C:\Users\Admin\AppData\Local\Temp\guiDB9C.tmp"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:8568
  - - C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.18.2 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff74fcf12d0,0x7ff74fcf12dc,0x7ff74fcf12e8
      4⤵
      Executes dropped EXE
      PID:8436
  - - C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe" --verbose-logging --installerdata="C:\Users\Admin\AppData\Local\Temp\guiDB9C.tmp" --create-shortcuts=0 --install-level=0
      4⤵
      Executes dropped EXE
      PID:9728
    - - C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\nshDF46.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.18.2 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff74fcf12d0,0x7ff74fcf12dc,0x7ff74fcf12e8
        5⤵
        Executes dropped EXE
        
        PID:1068
  - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
      "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --install-type=1 --from-installer
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious use of SendNotifyMessage
      PID:8404
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.18.2 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbd9d6ccf0,0x7ffbd9d6ccfc,0x7ffbd9d6cd08
        5⤵
        Executes dropped EXE
        
        PID:5964
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=1972 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:9752
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --start-stack-profiler --field-trial-handle=1796,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2012 /prefetch:3
        5⤵
        Executes dropped EXE
        
        PID:4036
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2348 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:7052
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2912,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:3544
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2920,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3420 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:8416
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3272,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3588 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4212
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4464,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4472 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5240
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4192,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4604 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6836
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4352,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4608 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:200
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4684,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4772 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:3808
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4704,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4696 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:4964
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4712,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4984 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:4044
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4720,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5100 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:9756
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4728,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5220 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:5180
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4736,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5336 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:9436
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4752,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:6312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4780,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5568 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:9988
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4788,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:7164
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6368,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6380 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:10104
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6372,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6496 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1728
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6672,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6748 /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:9500
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6048,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3428 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:8452
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7260 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:9380
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6996,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7404 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5456
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7008,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7548 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5576
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7040,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7688 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6388
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6880,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7832 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6556
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7012,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7976 /prefetch:8
        5⤵
        
        PID:5940
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7076,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8116 /prefetch:8
        5⤵
        
        PID:7916
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7100,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8268 /prefetch:8
        5⤵
        
        PID:3048
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6268 /prefetch:8
        5⤵
        
        PID:10604
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8464,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8460 /prefetch:8
        5⤵
        
        PID:10672
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7120,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8644 /prefetch:8
        5⤵
        
        PID:10748
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8696,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8708 /prefetch:8
        5⤵
        
        PID:10804
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8596,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8140 /prefetch:8
        5⤵
        
        PID:11080
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6960,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7056 /prefetch:8
        5⤵
        
        PID:11092
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6168,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6072 /prefetch:8
        5⤵
        
        PID:11104
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7016,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6224 /prefetch:8
        5⤵
        
        PID:11224
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8508 /prefetch:8
        5⤵
        
        PID:11236
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7148,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7232 /prefetch:8
        5⤵
        
        PID:11248
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7228,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4504 /prefetch:8
        5⤵
        
        PID:11260
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7216,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4556 /prefetch:8
        5⤵
        
        PID:6472
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7204,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7264 /prefetch:8
        5⤵
        
        PID:6732
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7192,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7472 /prefetch:8
        5⤵
        
        PID:4180
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7180,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7336 /prefetch:8
        5⤵
        
        PID:10312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7164,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8836 /prefetch:8
        5⤵
        
        PID:10420
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8844,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8376 /prefetch:8
        5⤵
        
        PID:10308
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8956,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7136 /prefetch:8
        5⤵
        
        PID:10284
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8992,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9000 /prefetch:8
        5⤵
        
        PID:10500
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7212,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7144 /prefetch:8
        5⤵
        
        PID:9368
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6584,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6624 /prefetch:8
        5⤵
        
        PID:6168
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6560,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6404 /prefetch:8
        5⤵
        
        PID:10840
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6964,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6608 /prefetch:8
        5⤵
        
        PID:11200
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6544,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9268 /prefetch:8
        5⤵
        
        PID:10752
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9256,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9416 /prefetch:8
        5⤵
        
        PID:10908
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6524,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9564 /prefetch:8
        5⤵
        
        PID:10532
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9704,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9716 /prefetch:8
        5⤵
        
        PID:10508
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9700,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9868 /prefetch:8
        5⤵
        
        PID:10944
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9408,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9260 /prefetch:8
        5⤵
        
        PID:10996
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9708,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10160 /prefetch:8
        5⤵
        
        PID:11032
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=10304,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10316 /prefetch:8
        5⤵
        
        PID:11184
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5996,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10472 /prefetch:8
        5⤵
        
        PID:10248
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=10148,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10608 /prefetch:8
        5⤵
        
        PID:5712
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=10744,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10756 /prefetch:8
        5⤵
        
        PID:10452
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=10888,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10896 /prefetch:8
        5⤵
        
        PID:10912
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=11052,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11060 /prefetch:2
        5⤵
        
        PID:11568
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11040,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11036 /prefetch:8
        5⤵
        
        PID:11688
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=11336,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11344 /prefetch:2
        5⤵
        
        PID:11144
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=11516,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11544 /prefetch:2
        5⤵
        
        PID:9380
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11568,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11696 /prefetch:8
        5⤵
        
        PID:6660
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11844,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11840 /prefetch:8
        5⤵
        
        PID:8584
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11988,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12000 /prefetch:8
        5⤵
        
        PID:9444
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12144,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12156 /prefetch:8
        5⤵
        
        PID:11460
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11984,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12292 /prefetch:8
        5⤵
        
        PID:11752
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12444,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12456 /prefetch:8
        5⤵
        
        PID:11764
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12440,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11976 /prefetch:8
        5⤵
        
        PID:12152
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12732,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12596 /prefetch:8
        5⤵
        
        PID:6084
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5688,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6152 /prefetch:8
        5⤵
        
        PID:11708
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=12884,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13016 /prefetch:8
        5⤵
        
        PID:11936
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13164,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13176 /prefetch:8
        5⤵
        
        PID:12248
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13168,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11980 /prefetch:8
        5⤵
        
        PID:10480
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13332,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13512 /prefetch:8
        5⤵
        
        PID:10760
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13316,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13652 /prefetch:8
        5⤵
        
        PID:6756
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13340,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13796 /prefetch:8
        5⤵
        
        PID:11216
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13348,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13940 /prefetch:8
        5⤵
        
        PID:10692
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13356,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14080 /prefetch:8
        5⤵
        
        PID:10408
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13364,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14224 /prefetch:8
        5⤵
        
        PID:7888
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13380,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14368 /prefetch:8
        5⤵
        
        PID:11108
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=13376,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14524 /prefetch:2
        5⤵
        
        PID:11076
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=8116,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7232 /prefetch:2
        5⤵
        
        PID:10548
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=14724,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14716 /prefetch:2
        5⤵
        
        PID:11316
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=14772,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15064 /prefetch:2
        5⤵
        
        PID:11324
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=14796,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15232 /prefetch:2
        5⤵
        
        PID:11840
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=14828,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15440 /prefetch:2
        5⤵
        
        PID:11892
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=14848,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15512 /prefetch:2
        5⤵
        
        PID:11940
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=14860,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15844 /prefetch:2
        5⤵
        
        PID:11872
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=14940,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16024 /prefetch:8
        5⤵
        
        PID:12192
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=15312,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14952 /prefetch:2
        5⤵
        
        PID:12016
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=15504,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16340 /prefetch:2
        5⤵
        
        PID:12124
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=15872,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15896 /prefetch:1
        5⤵
        
        PID:9312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16368,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16724 /prefetch:8
        5⤵
        
        PID:11500
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=16544,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16540 /prefetch:2
        5⤵
        
        PID:11548
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16548,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16048 /prefetch:8
        5⤵
        
        PID:11556
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16696,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9864 /prefetch:8
        5⤵
        
        PID:10644
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7136,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7332 /prefetch:8
        5⤵
        
        PID:12144
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --field-trial-handle=9000,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6552 /prefetch:1
        5⤵
        
        PID:11328
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16644,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8360 /prefetch:8
        5⤵
        
        PID:11140
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=13812,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5668 /prefetch:8
        5⤵
        
        PID:11936
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=17016,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6716 /prefetch:8
        5⤵
        
        PID:11192
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8792,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4984 /prefetch:8
        5⤵
        
        PID:11220
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=17064,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5576 /prefetch:8
        5⤵
        
        PID:10332
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5328,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11156 /prefetch:8
        5⤵
        
        PID:11132
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6956 /prefetch:8
        5⤵
        
        PID:10744
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5344,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4968 /prefetch:8
        5⤵
        
        PID:10608
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11372 /prefetch:8
        5⤵
        
        PID:11368
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --field-trial-handle=16404,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16080 /prefetch:2
        5⤵
        
        PID:11716
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11484 /prefetch:8
        5⤵
        
        PID:3868
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6736,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6852 /prefetch:8
        5⤵
        
        PID:11040
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=11424,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6684 /prefetch:8
        5⤵
        
        PID:8512
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3376,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3352 /prefetch:8
        5⤵
        
        PID:9808
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=15712,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16560 /prefetch:8
        5⤵
        
        PID:3020
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4000,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3176 /prefetch:8
        5⤵
        
        PID:11040
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --field-trial-handle=496,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16496 /prefetch:2
        5⤵
        
        PID:5844
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=15956,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15948 /prefetch:8
        5⤵
        
        PID:12140
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=556,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15960 /prefetch:8
        5⤵
        
        PID:11224
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16496,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15988 /prefetch:8
        5⤵
        
        PID:10840
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=11556,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15988 /prefetch:8
        5⤵
        
        PID:10628
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --field-trial-handle=15976,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15536 /prefetch:2
        5⤵
        
        PID:11644
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6228,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16480 /prefetch:8
        5⤵
        
        PID:10588
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16488,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16436 /prefetch:8
        5⤵
        
        PID:3320
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6700,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16444 /prefetch:8
        5⤵
        
        PID:8252
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --field-trial-handle=16452,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16492 /prefetch:2
        5⤵
        
        PID:9132
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16468,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8932 /prefetch:8
        5⤵
        
        PID:9776
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1088,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16356 /prefetch:8
        5⤵
        
        PID:10480
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --field-trial-handle=8564,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16088 /prefetch:2
        5⤵
        
        PID:11084
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=16484,i,16998099422918462049,7133190635655145068,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16480 /prefetch:8
        5⤵
        
        PID:7920
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9IntDMjMzMjM0RS02MDVGLTQ3QzktQjhBRC04N0UyRUZGQjY1RDB9IiB1c2VyaWQ9InthZjM4N2EwNy03N2ExLTRjNDgtYWQwOS05OWMyN2FlZDE3NzR9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezhFQUEzNEE5LTMxRDMtNDY3Ni1BN0JCLUUwMUQwMzJDQjQ0MX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntFQjE0OUFEMi1DRTRFLTRGNTEtQjdGQy1BMTQ5RkFBNENDQUZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjUuMTguMiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0idnBybzI9b24iIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwczovL2Nkbi5zd3VwZGF0ZXIuY29tL2J1aWxkL1dhdmVCcm93c2VyL3N0YWJsZS93aW4vMTEyMDk4NzY0MzkwNi82NC9XYXZlSW5zdGFsbGVyLXYxLjUuMTguMi5leGUiIGRvd25sb2FkZWQ9IjEwNjgxMTA4MCIgdG90YWw9IjEwNjgxMTA4MCIgZG93bmxvYWRfdGltZV9tcz0iNzg4MSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijg0NyIgZG93bmxvYWRfdGltZV9tcz0iODkzNiIgZG93bmxvYWRlZD0iMTA2ODExMDgwIiB0b3RhbD0iMTA2ODExMDgwIiBpbnN0YWxsX3RpbWVfbXM9IjEyODE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:10956

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /c
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:12280
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /cr
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource core
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:2508

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource scheduler
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:11176
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /registermsihelper
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:3968

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery